Chapter 9 – Windows Defender Firewall with Advanced Security
Windows Server Group Policy (GPO) Master Handbook
Chapter 9 – Windows Defender Firewall with Advanced Security
Learning Objectives
Learn how to deploy, manage, and troubleshoot Windows Defender Firewall through Group Policy in enterprise environments.
1. GPO Path
Computer Configuration → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security
2. Firewall Profiles
Windows Defender Firewall has three profiles: Domain (corporate network), Private (trusted network), and Public (untrusted network). Configure each profile separately.
3. Inbound and Outbound Rules
Inbound rules control incoming traffic. Outbound rules control traffic leaving the device. Use 'Allow' only when required and follow the principle of least privilege.
4. Rule Types
Program rules, Port rules (TCP/UDP), Predefined rules, and Custom rules supporting IP addresses, users, computers, services, and protocols.
5. Logging
Enable dropped packet and successful connection logging. Store logs in a central location for security investigations where appropriate.
6. IPsec Connection Security
Use Connection Security Rules to authenticate computers and encrypt traffic between servers using IPsec.
7. Enterprise Best Practices
Enable the firewall on all profiles, deny unnecessary inbound traffic, document firewall exceptions, use GPOs for consistency, and review rules regularly.
8. PowerShell
Get-NetFirewallProfile
Set-NetFirewallProfile
Get-NetFirewallRule
New-NetFirewallRule
Enable-NetFirewallRule
Disable-NetFirewallRule
9. Troubleshooting
Verify the active firewall profile, check rule precedence, confirm the Windows Defender Firewall service is running, review firewall logs, use Test-NetConnection, and run gpresult /h to confirm GPO application.
10. Common Event IDs
2004 (rule changes), 2005 (settings changes), 2033 (policy processing) and related Windows Defender Firewall operational events.
11. Interview Questions
What is the difference between Domain, Private, and Public profiles? Explain inbound vs outbound rules. How do you create a port rule? How do you troubleshoot blocked traffic?
12. Practical Lab
Create a GPO that allows TCP port 3389 for Domain profile only, update policy with gpupdate /force, verify using Get-NetFirewallRule and Test-NetConnection.
Common Firewall GPO Configuration
Setting | Recommendation | Location |
Domain Profile | Enabled | Firewall Profiles |
Private Profile | Enabled | Firewall Profiles |
Public Profile | Enabled | Firewall Profiles |
Inbound Connections | Block unless allowed | Profile Settings |
Outbound Connections | Allow (review exceptions) | Profile Settings |
Logging | Enable | Monitoring |
RDP Rule | Allow only when required | Inbound Rules |
ICMP (Ping) | Enable only if needed | Custom Rule |
Microsoft Learn References
Comments
Post a Comment