Chapter 9 – Windows Defender Firewall with Advanced Security

 Windows Server Group Policy (GPO) Master Handbook

Chapter 9 – Windows Defender Firewall with Advanced Security

Learning Objectives

Learn how to deploy, manage, and troubleshoot Windows Defender Firewall through Group Policy in enterprise environments.

1. GPO Path

Computer Configuration → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security

2. Firewall Profiles

Windows Defender Firewall has three profiles: Domain (corporate network), Private (trusted network), and Public (untrusted network). Configure each profile separately.

3. Inbound and Outbound Rules

Inbound rules control incoming traffic. Outbound rules control traffic leaving the device. Use 'Allow' only when required and follow the principle of least privilege.

4. Rule Types

Program rules, Port rules (TCP/UDP), Predefined rules, and Custom rules supporting IP addresses, users, computers, services, and protocols.

5. Logging

Enable dropped packet and successful connection logging. Store logs in a central location for security investigations where appropriate.

6. IPsec Connection Security

Use Connection Security Rules to authenticate computers and encrypt traffic between servers using IPsec.

7. Enterprise Best Practices

Enable the firewall on all profiles, deny unnecessary inbound traffic, document firewall exceptions, use GPOs for consistency, and review rules regularly.

8. PowerShell

Get-NetFirewallProfile
Set-NetFirewallProfile
Get-NetFirewallRule
New-NetFirewallRule
Enable-NetFirewallRule
Disable-NetFirewallRule

9. Troubleshooting

Verify the active firewall profile, check rule precedence, confirm the Windows Defender Firewall service is running, review firewall logs, use Test-NetConnection, and run gpresult /h to confirm GPO application.

10. Common Event IDs

2004 (rule changes), 2005 (settings changes), 2033 (policy processing) and related Windows Defender Firewall operational events.

11. Interview Questions

What is the difference between Domain, Private, and Public profiles? Explain inbound vs outbound rules. How do you create a port rule? How do you troubleshoot blocked traffic?

12. Practical Lab

Create a GPO that allows TCP port 3389 for Domain profile only, update policy with gpupdate /force, verify using Get-NetFirewallRule and Test-NetConnection.

Common Firewall GPO Configuration

Setting

Recommendation

Location

Domain Profile

Enabled

Firewall Profiles

Private Profile

Enabled

Firewall Profiles

Public Profile

Enabled

Firewall Profiles

Inbound Connections

Block unless allowed

Profile Settings

Outbound Connections

Allow (review exceptions)

Profile Settings

Logging

Enable

Monitoring

RDP Rule

Allow only when required

Inbound Rules

ICMP (Ping)

Enable only if needed

Custom Rule

Microsoft Learn References

Windows Defender Firewall

Windows Defender Firewall with Advanced Security

NetSecurity PowerShell Module

Comments