How to use Windows Defender Firewall with Advanced Security on Windows Server 2016

How to use the Windows Defender Firewall with Advanced Security

The Windows Defender Firewall is a host-based firewall that runs on Windows Server and is enabled by default. Management of the firewall can be accomplished in multiple ways, but for this tutorial, we will solely use the management snap-in, “Windows Defender Firewall with Advanced Security”. Using this snap-in you can control both the inbound and outbound traffic to/from the server.

Accessing the Windows Defender Firewall with Advanced Security snap-in

  • Open the Server Manager from the task bar.
  • On the right-hand side in the top navigation bar, click Tools and select Windows Defender Firewall with Advanced Security.
  • Review the current configuration settings by selecting Windows Firewall Properties from the MMC landing page. You can access and modify the settings for each of the three firewall profiles, Domain, Private, and Public, as well as IPSec settings.

*Alternatively the Windows Defender Firewall can also be accessed quickly with the following:

Start → Run → wf.msc

The Windows Firewall has a default preference of, Deny all incoming traffic that is not explicitly allowed by an Inbound Allow rule, and conversely, Allow all outgoing traffic unless a corresponding Outbound Deny rule exists. Windows Server will automatically add exceptions to the firewall based on the roles, features, or apps that you install, or in some cases, Windows will simply toggle the state of existing rules.

For instance, if you install the “Web Services (IIS)” role, then Windows will automatically create an inbound exception for traffic on Port 80 for the IIS process specifically. This will allow incoming client requests to reach your website. Or, if you enable Remote Desktop via the system properties it will automatically toggle the state of the existing rules, “Remote Desktop User Mode (Tcp-In)” and “Remote Desktop User Mode (UDP-In)” to enabled, allowing incoming RDP requests on port 3389. Enabled Rules can be identified by the green check mark preceding the name of the rule.

Using the Window Firewall with Advanced Security one can limit the exposure of an application to improve security. This can be done fairly easily by limiting the scope of remote IP addresses that are allowed to connect or disabling the rule if it’s not needed.

Below is an example:

Restricting access to the RDP Port 3389:

  • Open Windows Firewall, Start → Run → wf.msc
  • Select Inbound Rules from the left side navigation pane

  • Within the list of Inbound Rules, locate the rule, “***Remote Desktop User Mode (Tcp-In)***” and double-click it to bring up the rule’s properties pane.
  • Select the tab, “Scope“, then select “These IP addresses” under “Remote IP Addresses” then hit “Add…” to enter one or more IP addresses.

  • Now any request to the server’s port 3389 from a remote IP not on the list will be dropped.

Creating Custom Firewall Rules.

Custom rules can allow for more granular control over inbound and outbound traffic to your Windows Server. In this example, we will create a custom firewall rule to limit access to ports 80 and 443.

  • Open Windows Defender Firewall with Advanced Security snap-in

(Start → Run → wf.msc).

  • Select “Inbound Rules” from the left-hand side Navigation pane.
  • Under the “Actions” Pane, on the right-hand side, choose “New Rule
  • In the “New Inbound Rule Wizard”, select rule type “Custom“, then hit next.

  • Choose “All Programs”, then hit next.

  • Next, select the protocol type that your application uses. For this example, we will use TCP.
    • Change Local Port from all ports to ‘Specific Port‘, then enter the port(s) that your application listens on:

  • On the next screen, choose “These IP addresses” under, “Which remote IP addresses does this rule apply to?” and select Add to enter one or more IP addresses that this rule should apply to.
  • On the next page, you can choose to either, “Allow the connection”, or “Block the connection”. Depending on the option you choose will dictate whether or not the remote IP addresses are permitted to connect to your application on the port you defined.

Once you have finished adding the rule, it immediately goes into effect without need for rebooting the server or restarting services.

Leave a Reply

Your email address will not be published. Required fields are marked *