As a system administrator, finding relatively low-effort ways to improve your organization’s security posture is always a win.
When using Windows-based workstations, one way you can easily implement added protection to your environment is by enabling and deploying Windows Firewall.
What is Windows Firewall?
Windows Firewall — which Microsoft rebranded to Windows Defender Firewall with the release of Windows 10 — is a stateful host firewall within the Windows OS that helps secure your device by creating rules to manage inbound and outbound network connections. Windows Defender Firewall with Advanced Security is the tool that enables admins to deploy rules to Windows Defender Firewall — essentially a more robust version of the control panel.
Enabling Windows Defender Firewall is an important step to achieving a layered security model. It will help reduce the risk of network security threats, safeguard your sensitive data and intellectual property, and extend the value of your existing investments.
Windows Defender Firewall is available on Windows Vista, 7, 8, 10 and 11 for workstations and Windows 2008, 2008 R2, 2012, 2016, 2019 and 2022 for servers.
What is Group Policy?
In a Windows-based environment, Group Policy is the infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
Group Policy is every systems administrator’s dream. It helps deploy and manage anything in their environment and helps control certain security elements, like firewall settings, DNS, remote desktop rules, domain profiles, file and folder permissions, and countless others.
To use and implement Group Policy Objects (GPOs), you will need to have an Active Directory setup on a server (most likely a Domain Controller) and then install Group Policy Management Console (GPMC). There are even ways to help automate and deploy GPOs using Windows PowerShell, which will get installed with GPMC or Remote Server Administration Tools (RSAT).
Benefits of Group Policy
Besides helping to control security settings, Group Policy has a variety of benefits:
- Ease of Management – Managing any size organization can be time consuming for any system administrator. To make things simpler, deploying Group Policy can help manage every user and workstation in your environment to have the same rules and settings by deploying from the central location.
- Security – Using Group Policy can help institute some of the best security practices at any organization. Firewall rules, password rules and remote computer access are some examples of security practices that all organizations should establish and implement.
- Cost and Time – The ability to manage large amounts of endpoints with one centralized management system eliminates the overhead of hiring a larger staff of system administrators. It can scale for any organization, but Group Policy severely cuts down the time to manage the endpoints and the amount of staff required.
Configuring Windows Firewall via Group Policy
Managing Windows Firewall with Group Policy can save time, making it an ideal option for smaller or resource-strapped IT teams. Here’s a step-by-step tutorial of how to configure Windows Firewall with Group Policy.
1. Open your domain’s Group Policy Management Console (gpmc.msc).
2. Navigate to the Domain and the Group Policy Object folder. Create a new GPO (following your company’s naming convention).
3. Right-click the new GPO and select Edit.
4. You’ll need to set the firewall for autostartup. To do it, go to Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Find Windows Firewall in the list of services and change the startup type to Automatic (Define this policy setting -> Service startup mode Automatic).
5. Then, we will want to enable the firewall to protect all connections. Go to Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Defender > Firewall > Domain Profile and enable the policy Windows Defender Firewall: Protect all network connections.
6. Within the GPO console, navigate to the Computer Configuration > Windows Settings > Security Settings section. Right-click Windows Firewall with Advanced Security and open the properties. Make sure to enable the Firewall State to On(Recommended) on each of the profiles you will be using (enabling on all is best practice).
Logging for Windows Firewall and Windows Defender Firewall are disabled by default. If you are running Blumira Advanced Edition (now replaced by SIEM + Endpoint Visibility and XDR Platform editions), you can ensure you are getting all the necessary logs by deploying Poshim, an automated script by Blumira that will not only enable those logs, but will enable Sysmon and NXLog to capture all necessary logs and send to your Blumira Sensor to ingest, parse and trigger detections.
Configure Firewall Rules via Group Policy
1. Using the same GPO as implemented — or creating a new one if you feel it’s necessary in your environment — we can create firewall rules. To configure your rules, go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.
2. Select the rule type. You can allow access to:
- Program – you can select a program executable (.exe);
- Port – you can select a TCP/UDP port or a port range;
- Predefined – select one of the standard Windows rules, which already contain access rules (both executable files and ports are described) to typical services (e. g., AD, HTTP(s), DFS, BranchCache, Remote restart, SNMP, KMS, WinRM, etc.);
- Custom – here you can specify a program, a protocol (protocols other than TCP or UDP, like ICMP, GRE, L2TP, IGMP, etc.), client IP addresses, or an entire IP network (subnet).
3. For this example, we will look to allow Port 8080 on TCP:
4. There are three options: Allow the connection, Allow the connection if it is secure, and Block the Connection. In this case, we will select Allow the Connection:
5. You will then select which Profiles to deploy the rule for:
6. Give the rule a name and then select Finish:
Blumira: Going Beyond Windows Firewall Security
Enabling Windows Firewall is a great way to get started with Microsoft security, but it’s just the tip of the iceberg. For more complete visibility, you’ll need to centralize those firewall logs, as well as receive alerting around them.
Blumira is a cloud-based SIEM with threat detection and response that integrates with Windows Firewall, along with a variety of other security tools, to give you enhanced visibility over your entire environment.
Blumira is dedicated to helping small teams achieve easy-to-use, effective security that meets compliance and protects them against breaches and ransomware. We do things differently by providing more value for better security outcomes, including:
- Automate Tasks For You – We do all the heavy lifting for your team to save them time, including parsing, creating native third-party integrations, and testing and tuning detection rules to reduce noisy alerts.
- Faster Time to Security – Our unique approach to detections notifies you of threats other security tools may miss, sending you real-time alerts in under a minute of initial detection to help you respond to threats faster than ever.
- Easily Meet Compliance – With a year of data retention and deployment that takes minutes to hours, we help you meet cyber insurance and compliance easily and quickly with the team you have today.
Blumira’s free edition integrates directly with your Microsoft 365 tenant to detect suspicious activity in your environment — at no cost. Get your free account and see the value of Blumira today.