In this tutorial, you will learn how to configure your firewalls using GPO to keep your Windows servers secure.
When it comes to keeping your infrastructure secure, protecting your servers is essential. If you have a Windows Server, the operating system already provides a firewall, and while it’s normally not enough to keep your system safe on its own, it is an additional layer of security that shouldn’t be overlooked.
Configuring firewalls using the graphic interface can be quite tedious as you have to replicate all your settings on each server. Furthermore, doing things this way makes it much more complicated to keep all your servers standardised and secure.
That’s why we recommend configuring your firewall using PowerShell. Not only is it a very quick way of making changes to settings, but it is also possible to create a script that you can then run using Groups Policies (GPOs) to apply the changes to multiple devices at once.
View of the Windows Firewall console
How to Configure Your Windows Server Firewall Using PowerShell
Before you begin
To successfully complete this tutorial and configure your Windows Server firewall using PowerShell, you will need:
- To be registered on the Jotelulu platform and have logged in.
- To have registered for a Servers subscription.
- To have an AD DS Server deployed on your subscription.
- To have at least one operational Windows server on your subscription.
Part 1 – Creating the PowerShell Commands
The first thing you will need to do is write and test your PowerShell commands to ensure that you won’t any problems later on with your script or deployment.
So, first, run the PowerShell console with administrator privileges. To do this, type “PowerShell” in the search bar (1) and choose from either Windows PowerShell or Windows PowerShell ISE, which is a small IDE that is ideal for working with scripts.
Right-click on your chosen option and select “Run as administrator” (2).
Next, we’ll run a number of commands to create our rules, starting with enabling Windows Defender Firewall with advanced security. To do this, run the following demand, which can be applied to different profiles depending on your needs:
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
The profiles that this can be applied to are:
- Domain
- Public
- Private
For this tutorial, we will enable the firewall for all three profiles.
Next, you need to set the default behaviour for the firewall. In practice, this will depend on your own individual needs.
NOTE: Some of the commands that we will run in this tutorial will cut the connection to the server. So, for convenience and security, we always recommend working either on the server itself or via a direct connection.
The command we will run is:
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
Where:
- DefaultInboundAction Block: sets the firewall to block all inbound connections by default except those that are explicitly specified.
- DefaultOutboundAction Allow: sets the firewall to open all outbound connections by default except those that are explicitly specified.
- NotifyOnListen True: records any not-allowed connection attempts in the log.
- AllowUnicastResponseToMulticast True: allows unicast responses to multicast traffic.
- LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log: sets the folder where firewall log messages are to be saved.
Once you have done this, you can define the various rules that will apply to your firewalls.
In this tutorial, we are going to look at how to configure an inbound and outbound rule by way of an example.
To configure an inbound rule, you will need to use a structure similar to the following command:
New-NetFirewallRule -DisplayName “Name of inbound rule” -Direction Inbound -Program <Filepath_of_program> -RemoteAddress <IP> -Action <Action>
Where:
- DisplayName: is the name given to the rule to help you keep your firewall rules organised, especially if you have a lot of them..
- Direction Inbound: indicates that the rule is an inbound rule. This would read “Direction Outbound” for an outbound rule.
- Program <File_path_of_program>: is the file location of the program that the inbound connections are allowed for.
- RemoteAddress <IP>: is the source IP address. These are often ranges of IP addresses.
- Action <Action>: this is the action to be taken by the firewall and can be set to either Allow or Deny.
The following is an example of a command to set an inbound rule:
New-NetFirewallRule -DisplayName “Allow Telnet access” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress 192.168.0.2 -Action Allow
Part 1 – Example of a command to set an inbound rule for Telnet using PowerShell
If you need to make a change, you can do so using the command “Set-NetFirewallRule”, as in this example:
Set-NetFirewallRule –DisplayName “Allow Telnet access” -RemoteAddress 192.168.0.23
If you want to remove a rule, you can use the following command:
Remove-NetFirewallRule –DisplayName <Name_of_rule>
Where “DisplayName <Name_of_rule>” is used to identify the rule you wish to remove. It’s good to have a clear naming policy for firewall rules.
Here is an example of a command to remove a rule:
Remove-NetFirewallRule –DisplayName “Allow Telnet access”
By way of an example, we are not going to look at how we would set the firewall to do the following:
- Allow incoming traffic for RDP connections.
- Allow incoming traffic for HTTP and HTTPS connections.
- Allow incoming traffic for FTP and SFTP connections.
The commands for this would look as follows:
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
New-NetFirewallRule -DisplayName “Allow RDP – TCP 3389” -Direction Inbound -Action Allow -EdgeTraversalPolicy Allow -Protocol TCP -LocalPort 3389
New-NetFirewallRule -DisplayName “Allow HTTP – TCP 80” -Direction Inbound -Action Allow -EdgeTraversalPolicy Allow -Protocol TCP -LocalPort 80
New-NetFirewallRule -DisplayName “Allow HTTPS – TCP 443” -Direction Inbound -Action Allow -EdgeTraversalPolicy Allow -Protocol TCP -LocalPort 443
New-NetFirewallRule -DisplayName “Allow FTP y SFTP – TCP 20,21 y 22” -Direction Inbound -EdgeTraversalPolicy Allow -Action Allow -Protocol TCP -LocalPort 20-22
You can run these commands on multiple machines and that way automate your firewall configuration.
Part 2 – Turning the Commands into a Small Script
If we’re being completely honest, it’s a little pretentious to call this set of commands a script. For one thing, there is no programming structure. However, the power of this ‘script’ lies in its simplicity.
To create a script from these commands, simply type them all in a text file and save the file with the file extension “.ps1”, which is the Windows PowerShell extension.
NOTE: Be careful if you copy and paste any characters as you might have problems with quotation marks (“), hyphens (-) and other characters.
Part 2 – Example of a text file containing PowerShell commands
Part 3 – Creating a Group Policy
So far, you have written your commands and created your PowerShell script. All that remains now is to create a Group Policy that will run the script and configure your devices.
NOTE: In this tutorial, we’ll configure the firewall for the whole domain, but it is possible to do it just for the Organisational Unit (OU) if you wish.
First, launch the Group Policy Management Console (GMPC) by running “GPMC.msc”. You should launch it with administrator privileges. You can also run it from the Tools menu on the Server Manager console (3).
Part 3 – Launch the GPMC from the Tools menu in Server Manager
Next, right-click on the domain (4) and select “Create a GPO on this domain, and Link it here” (5).
Part 3 – Select the option “Create a GPO in this domain, and Link it here”
You will then see a window asking for you to give the new GPO a name (6).
Part 3 – Give the new GPO a name
This opens the Group Policy Manager, where you should search for the GPO that you just created, right-click on it (7) and select “Edit” (8).
Part 3 – Edit the GPO that you just created
You will now see the GPO editor, which will show the root folder with no elements selected.
Part 3 – View of the GPO editor
At this point, you need to decide how you want to implement your GPO, and you have two options depending on whether your policy will apply to the device or the user:
- Startup/Shutdown: To run the PowerShell script whenever the device starts up or shuts down, go to “Computer Settings > Policies > Windows Settings > Scripts (Startup/Shutdown)”.
- Logon/Logoff: To run the PowerShell script whenever a user logs on or off, go to “User Settings > Policies > Windows Settings > Scripts (Logon/Logoff)”.
NOTE: For this tutorial, we’ll choose to run the script when the device starts up. You can also do this using a firewall-based setting by going to “Computer Settings > Policies > Windows Settings > Security Settings > Windows Defender Firewall”.
For this tutorial, we are going to run the script on the server when it starts up. So, we’ll choose the first option, going to “Computer Settings > Policies > Windows Settings > Scripts (Startup/Shutdown)” (9). Next, right-click on “Startup” (10), select “Properties” and click on the “PowerShell Scripts” tab (11).
Part 3 – View of Properties: Startup window and the PowerShell Scripts tab
Lastly, click on “Add” (12) and enter the folder path (13) where your script is saved.
Part 3 – Add your firewall script
Everything should now be ready to go. You can check this by launching the Group Policy Management Console, searching for your GPO, checking its status and seeing whether it is linked to the script.
Conclusion
As you can see in this tutorial, configuring your firewalls using PowerShell scripts and GPOs is really very quick and simple. It’s very straightforward to create a small PowerShell script using basic commands, and this can then be used to apply settings to every server in your OU.
If you would like find out more about this topic, we recommend that you visit the section on Microsoft Learn dedicated to PowerShell commands for managing Windows Firewall.
We also recommend checking out the following tutorials, where you will find additional information and some practical examples of what you can achieve with Group Policies:
- What Are GPOs and What Are They Used for
- Using GPOs to Run PowerShell Commands
- How to Configure a GPO for Mapping Shared Drives
- How to Configure a GPO for Printer Mapping
- How to Deploy a PowerShell Script Using GPO
- How to Configure Personal Drives Using GPO
- How to Hide a Disk Drive on Your Server Using the Local Policy Editor
Thanks for reading!