- 9 minutes to read
- Applies to:
- ✅ Windows 10 and later, ✅ Windows Server 2016 and later
Windows Defender Firewall with Advanced Security provides host-based, two-waynetwork traffic filtering and blocks unauthorized network traffic flowing intoor out of the local device. Configuring your Windows Firewall based on thefollowing best practices can help you optimize protection for devices in yournetwork. These recommendations cover a wide range of deployments including homenetworks and enterprise desktop/server systems.
To open Windows Firewall, go to the Start menu, select Run,type WF.msc, and then select OK. See also Open Windows Firewall.
Keep default settings
When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
Figure 1: Windows Defender Firewall
- Domain profile: Used for networks where there's a system of account authentication against an Active Directory domain controller
- Private profile: Designed for and best used in private networks such as a home network
- Public profile: Designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, or stores
View detailed settings for each profile by right-clicking the top-level Windows Defender Firewall with Advanced Security node in the left pane and then selecting Properties.
Maintain the default settings in Windows DefenderFirewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
Figure 2: Default inbound/outbound settings
To maintain maximum security, do not change the default Block setting for inbound connections.
For more on configuring basic firewall settings, see Turn on Windows Firewall and Configure Default Behavior and Checklist: Configuring Basic Firewall Settings.
Understand rule precedence for inbound rules
In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.
This rule-adding task can be accomplished by right-clicking either Inbound Rules or Outbound Rules, and selecting New Rule. The interface for adding a new rule looks like this:
Figure 3: Rule Creation Wizard
This article does not cover step-by-step rule configuration. See the Windows Firewall with Advanced Security Deployment Guide for general guidance on policy creation.
In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions.
- Explicitly defined allow rules will take precedence over the default block setting.
- Explicit block rules will take precedence over any conflicting allow rules.
- More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)
Because of 1 and 2, it's important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above.
Create rules for new applications before first launch
Inbound allow rules
When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there's a default block action in Windows Defender Firewall, it's necessary to create inbound exception rules to allow this traffic. It's common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule.
If there's no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network.
If the user has admin permissions, they'll be prompted. If they respond No or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic.
If the user isn't a local admin, they won't be prompted. In most cases, block rules will be created.
In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked.
The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
Known issues with automatic rule creation
When designing a set of firewall policies for your network, it's a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience.
The absence of these staged rules doesn't necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues.
To determine why some applications are blocked from communicating in the network, check for the following instances:
- A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt.
- A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes.
- Local Policy Merge is disabled, preventing the application or network service from creating local rules.
Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
Figure 4: Dialog box to allow access
See also Checklist: Creating Inbound Firewall Rules.
Establish local policy merge and application rules
Firewall rules can be deployed:
- Locally using the Firewall snap-in (WF.msc)
- Locally using PowerShell
- Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join)
Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles.
The rule-merging settings either allow or prevent local administrators from creating their own firewall rules in addition to those rules obtained from Group Policy.
Figure 5: Rule merging setting
In the firewall configuration service provider, the equivalent setting is AllowLocalPolicyMerge. This setting can be found under each respective profile node, DomainProfile, PrivateProfile, and PublicProfile.
If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.
Administrators may disable LocalPolicyMerge in high-security environments to maintain tighter control over endpoints. This setting can impact some applications and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile DeviceManagement (MDM), or both (for hybrid or co-management environments).
Firewall CSP and Policy CSP also have settings that can affect rule merging.
As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.
In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes.
The use of wildcard patterns, such as C:*\teams.exe is not supported in application rules. We currently only support rules created using the full path to the application(s).
Know how to use "shields up" mode for active attacks
An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
Shields up can be achieved by checking Block allincoming connections, including those in the list of allowed apps setting found in either the Windows Settings app or the legacy file firewall.cpl.
Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type
Figure 7: Legacy firewall.cpl
By default, the Windows Defender Firewall will block everything unless there's an exception rule created. This setting overrides the exceptions.
For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated.
Once the emergency is over, uncheck the setting to restore regular network traffic.
Create outbound rules
What follows are a few general guidelines for configuring outbound rules.
- The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default
- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use
- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments)
For tasks related to creating outbound rules, see Checklist: Creating Outbound Firewall Rules.
Document your changes
When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And never create unnecessary holes in your firewall.
How to configure Windows Defender Firewall? ›
- Select Start , then open Settings . ...
- Select a network profile: Domain network, Private network, or Public network.
- Under Microsoft Defender Firewall, switch the setting to On. ...
- To turn it off, switch the setting to Off.
Create Secure User Accounts
Make sure your firewall is guarded by at least one of the following configuration measures to keep out any potential attackers: Change all default passwords and delete, deactivate, or rename any default user accounts. Make careful to choose passwords that are both complex and safe.
Windows Defender is essentially an anti-malware scanner.
But in Windows 10, it has firewall capabilities through the Windows Defender Firewall, which is the updated version of the classic firewall built into the world's most popular operating system.
It has a very strong firewall and a good number of features for the program and device security. However, the scanning performance is very poor, and secure browsing is only possible with Microsoft Edge.What are the best practices in defending the network? ›
- Understand the OSI Model. ...
- Understand Types of Network Devices. ...
- Know Network Defenses. ...
- Segregate Your Network. ...
- Place Your Security Devices Correctly. ...
- Use Network Address Translation. ...
- Don't Disable Personal Firewalls. ...
- Use Centralized Logging and Immediate Log Analysis.
Allowlisting takes more of a trust-centric approach and is considered to be more secure.What are two best practices when implementing firewall security policies? ›
Add a stealth rule in the firewall policy to hide the firewall from network scans. Limit management access to specific hosts. Firewalls are not immune to vulnerabilities. Check with the vendor to see if there are any known vulnerabilities and security patches that fix the vulnerability.Which are two main rules categories in Windows Defender firewall? ›
To provide the security you need, the Windows Defender Firewall has a standard set of inbound and outbound rules, which are enabled depending on the location of the connected network.What is the proper rule for a firewall? ›
Firewall rules: Determine what traffic your firewall allows and what is blocked. Examine the control information in individual packets, and either block or allow them according to the criteria that you define. Control how the firewalls protect your network from malicious programs and unauthorized access.How do I maximize my Windows Firewall? ›
- Build rules to binaries or executables. ...
- Identify blocked applications. ...
- Set up security monitoring. ...
- Block PowerShell from internet access. ...
- Set firewall rules with PowerShell. ...
- Review new Windows 10 security baselines. ...
- Audit settings regularly.
What is the best firewall architecture? ›
The true DMZ is generally considered the most secure of firewall architectures. With this design, there is an external and internal firewall. Between the two is sandwiched any Internet accessible devices (see Figure 2.3).What are the disadvantages of Windows Defender? ›
- Lacks integrated dashboard for all devices using Windows Defender.
- No accountability if the computer is infected by malware.
- Limited features for large scale use.
- Slows down installation of frequently-used applications.
You do need an antivirus for Windows 10, even though it comes with Microsoft Defender Antivirus. That's because this software lacks endpoint protection and response plus automated investigation and remediation.Which apps should I allow through defender firewall? ›
The apps you want are your browsers like Edge, Chrome, Firefox, Internet Explorer and ports 80 and 443 to be open. That's what you want to allow. As for private and public the way that works is based on your connection. When you are at home with your machine you want to be set to private network.Can Windows Defender detect Trojans? ›
Scan your PC using Windows Security
Another method you can try is to scan your PC using built-in Windows virus and threat protection tools. Microsoft Defender (called Windows Defender Security Center in older versions of Windows 10) can perform virus scans and detect various types of malware.
Microsoft Defender scores 9.6, which is quite a good score. It's better than any other free product tested with this same sample set. Adaware, Avast, and Bitdefender Antivirus Free Edition all score 9.2, while Kaspersky, Panda, and Avira score still lower.Is Windows Defender Firewall the same as Windows Firewall? ›
Windows Firewall (officially called Microsoft Defender Firewall in Windows 10 version 2004 and later) is a firewall component of Microsoft Windows. It was first included in Windows XP SP2 and Windows Server 2003 SP1.What are the 7 layers of firewall? ›
- Physical Layer.
- Data Link Layer. ...
- Network Layer. ...
- Transport Layer. ...
- Session Layer. ...
- Presentation Layer. The presentation layer prepares data for the application layer. ...
- Application Layer. The application layer is used by end-user software such as web browsers and email clients. ...
- Hardware-based firewalls. A hardware-based firewall is an appliance that acts as a secure gateway between devices inside the network perimeter and those outside it. ...
- Software-based firewalls. A software-based firewall, or host firewall, runs on a server or other device. ...
- Cloud/hosted firewalls.
Four basic types of firewall protection exist--network level, circuit level, application-level and stateful multilayer. Each type has advantages and disadvantages, ranging from ease of implementation to high initial cost.
What are the 3 P's for effective networking? ›
Today I'll take a look at the three P's of networking: purpose, people, and process. Your primary purpose should be to establish some level of rapport, ideally developing that relationship over time. People tend to do business with – and hire – people they know, like, and trust.What are the three 3 basic network security measures? ›
- Firewalls. A firewall is a barrier or filter between a given network and the outside world or the internet at large. ...
- Access Control. ...
- Network Segmentation. ...
- Intrusion Prevention Systems.
- Audit the network and check security controls. ...
- Revisit and communicate security policies. ...
- Back up data and institute a recovery plan. ...
- Encrypt critical data. ...
- Update antimalware software. ...
- Set appropriate access controls and employ multifactor authentication.
- VPN - For safe and secure infrastructure, a VPN is a critical feature to include.
- Web filtering – This feature is used in filtering any compromising content that has been forbidden or flagged.
One of the most common firewall issues that businesses face is controls that aren't properly activated. Anti-spoofing tools, for example, are an important aspect of your managed security system since they prevent malware, spam, and other fake traffic from entering your network.What is best practice in firewall domain environment? ›
3. What is the best practice in the firewall domain environment? Explanation: All live servers or workstations are kept in a separate zone than inside and outside to enhance protection. 4.Which of the following is a firewall best practice? ›
- Block traffic by default and monitor user access. ...
- Establish a firewall configuration change plan. ...
- Optimize the firewall rules of your network. ...
- Update your firewall software regularly. ...
- Conduct regular firewall security audits.
- #1. Unified Security Management. Organizations must cope with rapidly increasing network security complexity. ...
- #2. Threat Prevention. ...
- #3. Application and Identity-Based Inspection. ...
- #4. Hybrid Cloud Support. ...
- #5. Scalable Performance.
The difference between inbound and outbound firewall rules
Customizable firewall rules enable specific ports, services and IP addresses to connect in or out. Inbound traffic originates from outside the network, while outbound traffic originates inside the network.
By default, the Windows Defender Firewall will block everything unless there's an exception rule created. This setting overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled.
What is the best placement of a firewall? ›
Logically, this means that the firewall should be placed between the internet and the network. One of the most basic configurations would be a router that connects to a wide area network (WAN), then a firewall that connects to the router, filtering all traffic before distributing it throughout the network.What are the 4 common architectural implementations of firewalls? ›
There are four common architectural implementations of firewalls widely in use. They are packet filtering routers, screened host firewalls, dual-homed firewalls and screened subnet firewalls.Why is it important to configure firewall effectively? ›
Firewalls provide protection against outside cyber attackers by shielding your computer or network from malicious or unnecessary network traffic. Firewalls can also prevent malicious software from accessing a computer or network via the internet.What ports should be blocked on firewall? ›
- MS RPC TCP, UDP Port 135.
- NetBIOS/IP TCP, UDP Port 137-139.
- SMB/IP TCP Port 445.
- Trivial File Transfer Protocol (TFTP) UDP Port 69.
- System log UDP Port 514.
- Limit VPN Access If you have a sophisticated VPN system, you can make a firewall far more secure. ...
- Monitor User Access ...
- Shut Off Unused Network Services ...
- Update Firewall Software ...
- Automate the process of firewall updating ...
- Buy New Security Hardware ...
- Secure Wireless Access
Microsoft Defender is a good enough option for basic antivirus protection. It has a very strong firewall and a good number of features for the program and device security.Can a firewall be overloaded? ›
When your firewall becomes overloaded you experience high CPU usage, low throughput and slowing down of applications. As well as this, application performance may be seriously degraded.Does disabling firewall increase speed? ›
Disabling a firewall can boost performance, but doing so puts the entire network at risk. Companies that need a faster connection should either upgrade their equipment or their broadband service instead; the cost of recovering from a security breach can be far more expensive than the cost of new modem or router.What is 3 tier firewall architecture? ›
A three-tier architecture would include three firewalls: one on the outside and two different layers on the inside. The ISP should have a firewall that restricts all connections to their protected host except those that are absolutely required.What are the weaknesses of a firewall? ›
The weaknesses of a firewall: An inability to fend off attacks from within the system that it is meant to protect. This could take the form of people granting unauthorized access to other users within the network or social engineering assaults or even an authorized user intent on malafide use of the network.
Does Windows Defender include a firewall? ›
Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there's no other hardware or software required.What is Windows Defender Firewall Advanced Settings for? ›
Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network.Is Windows Defender Firewall on by default? ›
The Windows Defender firewall is on by default, but if you want to check it out and make sure, you have to navigate to the Windows Defender Security Center. Open Settings by clicking or tapping on the Start button and then clicking the Settings icon. Scroll down the list and click on the Update & Security menu item.How do I configure and manage Windows updates and firewall? ›
To do this, users must go to Settings > Update & security > Windows Update. If this setting is set to Not Configured, an administrator can still configure Automatic Updates through the settings app, under Settings > Update & security > Windows Update > Advanced options.Is Windows Firewall and Defender firewall the same? ›
Windows Firewall (officially called Microsoft Defender Firewall in Windows 10 version 2004 and later) is a firewall component of Microsoft Windows. It was first included in Windows XP SP2 and Windows Server 2003 SP1.Does disabling firewall improve performance? ›
Disabling a firewall can boost performance, but doing so puts the entire network at risk. Companies that need a faster connection should either upgrade their equipment or their broadband service instead; the cost of recovering from a security breach can be far more expensive than the cost of new modem or router.How to use Windows Defender Firewall with Advanced security? ›
In Control Panel you can access the Windows Defender Firewall with Advanced Security by going to "System and Security -> Windows Defender Firewall," and then by clicking or tapping Advanced settings.What are the Windows Firewall rules for Windows Update? ›
Windows Update requires TCP port 80, 443, and 49152-65535.How to make sure your firewall is configured to allow access to Windows Update? ›
Go to Control Panel>Firewall>Advanced Settings . Then click Action>Export policy to make a copy of your current policy in case you want to restore it. Then click Action>Restore Default Policy . If it really is just the Firewall, this should allow you to use Windows Update.