Every Windows OS comes with a native firewall as the basic protection against malicious programs. Windows Firewall controls the incoming and outgoing traffic from and to the local system based on the criteria defined in the rules. The criteria can be program name, protocol, port, or IP address. In a domain environment, administrator can centrally configure Windows Firewall rule using Group Policy. This way, the rules will be automatically applied to all targeted computers in the domain and therefore increasing the security.
How to Configure Windows Firewall Rule using Group Policy
There are two ways to configure Windows Firewall rule using Group Policy:
- Using the legacy configuration
The settings can be found under Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. The settings in this section was intended for Windows Version before the release of Windows Vista and Windows Server 2008 but still work for newer release of Windows. However, it is not recommended to be used unless we’re still managing outdated OS in the domain.
- Using the new configuration
The settings can be found under Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security. The settings in this section has been optimized for current Windows release, and it has the very same wizard GUI when creating the firewall rule directly on the client computer, making it easier for administrator.
In this example, we are going to create a custom firewall rule using the new configuration. The scenario is to allow an application named MustBeGeek.exe that communicates using random TCP port number 60000-65535 for inbound connection.
The step by step configuration is as follows:
1. Defining the policy object
Open up Group Policy Management console and decide whether to use an existing GPO or creating a new one. After that edit the GPO and go to configuration in Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security
2. Set the firewall to be enabled
Click on the Windows Firewall with Advanced Security on the left pane, then this menu below will show up in the right pane. Click on Windows Firewall Properties.
On the first three tabs, Domain Profile, Private Profile, and Public Profile, make sure the firewall is set to On (recommended), and the following configuration is applied. This will make sure that no computer in the domain having its firewall turned off. Click OK to confirm the setting.
Verify the overview now looks like below screenshot
3. Configuring firewall rules
Now it is time to create the firewall rule. The action performed in this step may vary depending on what needs to be configured. In this example, an inbound rule will be created. Click on Inbound Rules on the left pane, then right click on an empty area in the right pane and select New Rule.
There will be four types of rule to be created. Select Custom and click Next.
In a custom rule, we can specify the program, ports, and IP address as necessary. According to the requirement in this example, the configuration will be like below screenshots.
Protocol and ports
Scope (IP address)
After specifying the program path, ports, and IP address, now select the action to Allow the connection.
Tick all the box to ensure that this rule is applied on all profiles
When all the settings has been completed, give a name for the rule for identification purpose.
Once done, the summary of the newly created rule can be seen in the Group Policy Management console.
4. Verify results on the client
Apply the GPO to a computer OU, and see the result on the client firewall configuration. There will be a banner saying the settings are controlled by Group Policy and the firewall state will be the same as what has been configured before.
End user will no longer be able to modify the firewall state and action.
On the rule section, see the configured rule has been added to the list.
Useful Tips for Managing Windows Firewall Rule using Group Policy
The firewall rule will be added as soon as Group Policy is refreshed, and a manual refresh can be triggered by using command gpupdate /force
When configuring the firewall rules in Group Policy, it is not recommended to set firewall rules using both legacy and new configuration in the same Group Policy Object. Windows will somehow try to merge the settings but the result may not be as expected. The best practice is to separate the policy object for legacy computers.
Another handy tip, administrator can simply import firewall rules created in other Windows computer to the Group Policy instead of re-creating it one by one. This way can save more time and effort to create consistent firewall rules across the domain.
And that’s the example to configure Windows Firewall rule using Group Policy.