Configuring rules using Group Policy
Although the Windows Firewall with Advanced Security is useful
for configuring firewall rules and settings on the local computer,
in managed environments you will want to use Group Policy to deploy
firewall rules and settings on targeted computers. To do this, you
can follow these steps:
Use the Group Policy Management Editor to open the Group
Policy Object (GPO) that targets the computers on which you want to
deploy the firewall policy. You will typically do this using the
Group Policy Management Console.
-
Expand the console tree to display the following policy
node (as shown in Figure 13):
Computer Configuration\Policies\Windows Settings\Security Settings\
Windows Firewall with Advanced Security\Windows Firewall with Advanced Security
-
In the details pane, click Windows Firewall Properties if
you want to deploy settings for firewall profiles to the
targeted computers.
-
To deploy inbound rules to the targeted computers,
right-click on Inbound Rules and select New Rule. Then complete
the steps in the New Inbound Rule Wizard to configure the new
inbound rule.
-
To deploy outbound rules to the targeted computers,
right-click on Outbound Rules and select New Rule. Then complete
the steps in the New Inbound Rule Wizard to configure the new
outbound rule.
Note
Connection security rules
You can also use Windows PowerShell to configure firewall
rules and settings in a GPO and then use the GPO to deploy the
firewall policy to targeted computers. For example, let’s start by
using the Get-NetFirewallProfile cmdlet to view the value of the
NotifyOnListen policy setting for the domain firewall profile in the
Sales GPO of the corp.fabrikam.com domain:
PS C:\> Get-NetFirewallProfile -Name Domain -PolicyStore corp.fabrikam.com\Sales | `
fl NotifyOnListen
NotifyOnListen : NotConfigured
The command output indicates that this firewall policy setting
is not configured in the Sales GPO. To enable this setting, you can
pipe the output of the preceding command into the
Set-NetFirewallProfile command like this:
C:\> Get-NetFirewallProfile -Name Domain -PolicyStore corp.fabrikam.com\Sales | `
Set-NetFirewallProfile -NotifyOnListen True
You can use Get-NetFirewallProfile again to verify the
result:
PS C:\> Get-NetFirewallProfile -Name Domain -PolicyStore corp.fabrikam.com\Sales | `
fl NotifyOnListen
NotifyOnListen : True
Now let’s create a new rule to block outgoing traffic over TCP
port 80 on computers targeted by the Sales GPO. To begin with, using
the Get-NetFirewallRule cmdlet to target the Sales GPO indicates
that there are currently no firewall rules configured in this
GPO:
PS C:\> Get-NetFirewallRule -PolicyStore corp.fabrikam.com\Sales
You can use the New-NetFirewallRule cmdlet to create the new
rule in the GPO as follows:
PS C:\> New-NetFirewallRule -PolicyStore corp.fabrikam.com\Sales `
-DisplayName "Block Outbound Port 80" -Direction Outbound -LocalPort 80 `
-Protocol TCP -Action Block
Name : {0c7a9c6c-af48-4acf-bcdd-adcf8d9790b2}
DisplayName : Block Outbound Port 80
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Direction : Outbound
Action : Block
EdgeTraversalPolicy : Block
LooseSourceMapping : False
LocalOnlyMapping : False
Owner :
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource :
PolicyStoreSourceType : GroupPolicy
Opening the Sales GPO in the Windows Firewall with Advanced
Security snap-in will verify that the new rule has been configured
as expected in the firewall policy for the GPO.
