How to Configure Firewalls Using GPO

In this tutorial, you will learn how to configure your firewalls using GPO to keep your Windows servers secure.

When it comes to keeping your infrastructure secure, protecting your servers is essential. If you have a Windows Server, the operating system already provides a firewall, and while it’s normally not enough to keep your system safe on its own, it is an additional layer of security that shouldn’t be overlooked.

Configuring firewalls using the graphic interface can be quite tedious as you have to replicate all your settings on each server. Furthermore, doing things this way makes it much more complicated to keep all your servers standardised and secure.

That’s why we recommend configuring your firewall using PowerShell. Not only is it a very quick way of making changes to settings, but it is also possible to create a script that you can then run using Groups Policies (GPOs) to apply the changes to multiple devices at once.

View of the Windows Firewall console
View of the Windows Firewall console

View of the Windows Firewall console

How to Configure Your Windows Server Firewall Using PowerShell

 

Before you begin

To successfully complete this tutorial and configure your Windows Server firewall using PowerShell, you will need:

  • To be registered on the Jotelulu platform and have logged in.
  • To have registered for a Servers subscription.
  • To have an AD DS Server deployed on your subscription.
  • To have at least one operational Windows server on your subscription.

 

Part 1 – Creating the PowerShell Commands

The first thing you will need to do is write and test your PowerShell commands to ensure that you won’t any problems later on with your script or deployment.

So, first, run the PowerShell console with administrator privileges. To do this, type “PowerShell” in the search bar (1) and choose from either Windows PowerShell or Windows PowerShell ISE, which is a small IDE that is ideal for working with scripts.

Right-click on your chosen option and select “Run as administrator” (2).

Part 1 - Run the PowerShell console with administrator privileges
Part 1 – Run the PowerShell console with administrator privileges

Next, we’ll run a number of commands to create our rules, starting with enabling Windows Defender Firewall with advanced security. To do this, run the following demand, which can be applied to different profiles depending on your needs:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

The profiles that this can be applied to are:

  • Domain
  • Public
  • Private

For this tutorial, we will enable the firewall for all three profiles.

Next, you need to set the default behaviour for the firewall. In practice, this will depend on your own individual needs.

NOTE: Some of the commands that we will run in this tutorial will cut the connection to the server. So, for convenience and security, we always recommend working either on the server itself or via a direct connection.

The command we will run is:

Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

Where:

  • DefaultInboundAction Block: sets the firewall to block all inbound connections by default except those that are explicitly specified.
  • DefaultOutboundAction Allow: sets the firewall to open all outbound connections by default except those that are explicitly specified.
  • NotifyOnListen True: records any not-allowed connection attempts in the log.
  • AllowUnicastResponseToMulticast True: allows unicast responses to multicast traffic.
  • LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log: sets the folder where firewall log messages are to be saved.

Once you have done this, you can define the various rules that will apply to your firewalls.

In this tutorial, we are going to look at how to configure an inbound and outbound rule by way of an example.

To configure an inbound rule, you will need to use a structure similar to the following command:

New-NetFirewallRule -DisplayName “Name of inbound rule” -Direction Inbound -Program <Filepath_of_program> -RemoteAddress <IP> -Action <Action>

Where:

  • DisplayName: is the name given to the rule to help you keep your firewall rules organised, especially if you have a lot of them..
  • Direction Inbound: indicates that the rule is an inbound rule. This would read “Direction Outbound” for an outbound rule.
  • Program <File_path_of_program>: is the file location of the program that the inbound connections are allowed for.
  • RemoteAddress <IP>: is the source IP address. These are often ranges of IP addresses.
  • Action <Action>: this is the action to be taken by the firewall and can be set to either Allow or Deny.

The following is an example of a command to set an inbound rule:

New-NetFirewallRule -DisplayName “Allow Telnet access” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress 192.168.0.2 -Action Allow

Part 1 - Example of a command to set an inbound rule for Telnet using PowerShell

Part 1 – Example of a command to set an inbound rule for Telnet using PowerShell

If you need to make a change, you can do so using the command “Set-NetFirewallRule”, as in this example:

Set-NetFirewallRule –DisplayName “Allow Telnet access” -RemoteAddress 192.168.0.23

If you want to remove a rule, you can use the following command:

Remove-NetFirewallRule –DisplayName <Name_of_rule>

Where “DisplayName <Name_of_rule>” is used to identify the rule you wish to remove. It’s good to have a clear naming policy for firewall rules.

Here is an example of a command to remove a rule:

Remove-NetFirewallRule –DisplayName “Allow Telnet access”

By way of an example, we are not going to look at how we would set the firewall to do the following:

  • Allow incoming traffic for RDP connections.
  • Allow incoming traffic for HTTP and HTTPS connections.
  • Allow incoming traffic for FTP and SFTP connections.

The commands for this would look as follows:

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

New-NetFirewallRule -DisplayName “Allow RDP – TCP 3389” -Direction Inbound -Action Allow -EdgeTraversalPolicy Allow -Protocol TCP -LocalPort 3389

New-NetFirewallRule -DisplayName “Allow HTTP – TCP 80” -Direction Inbound -Action Allow -EdgeTraversalPolicy Allow -Protocol TCP -LocalPort 80

New-NetFirewallRule -DisplayName “Allow HTTPS – TCP 443” -Direction Inbound -Action Allow -EdgeTraversalPolicy Allow -Protocol TCP -LocalPort 443

New-NetFirewallRule -DisplayName “Allow FTP y SFTP – TCP 20,21 y 22” -Direction Inbound -EdgeTraversalPolicy Allow -Action Allow -Protocol TCP -LocalPort 20-22

You can run these commands on multiple machines and that way automate your firewall configuration.

 

Part 2 – Turning the Commands into a Small Script

If we’re being completely honest, it’s a little pretentious to call this set of commands a script. For one thing, there is no programming structure. However, the power of this ‘script’ lies in its simplicity.

To create a script from these commands, simply type them all in a text file and save the file with the file extension “.ps1”, which is the Windows PowerShell extension.

NOTE: Be careful if you copy and paste any characters as you might have problems with quotation marks (“), hyphens (-) and other characters.

Part 2 - Example of a text file containing PowerShell commands

Part 2 – Example of a text file containing PowerShell commands

 

Part 3 – Creating a Group Policy

So far, you have written your commands and created your PowerShell script. All that remains now is to create a Group Policy that will run the script and configure your devices.

NOTE: In this tutorial, we’ll configure the firewall for the whole domain, but it is possible to do it just for the Organisational Unit (OU) if you wish.

First, launch the Group Policy Management Console (GMPC) by running “GPMC.msc”. You should launch it with administrator privileges. You can also run it from the Tools menu on the Server Manager console (3).

Part 3 - Launch the GPMC from the Tools menu in Server Manager

Part 3 – Launch the GPMC from the Tools menu in Server Manager

Next, right-click on the domain (4) and select “Create a GPO on this domain, and Link it here (5).

Part 3 - Select the option "Create a GPO in this domain, and Link it here"

Part 3 – Select the option “Create a GPO in this domain, and Link it here”

You will then see a window asking for you to give the new GPO a name (6).

Part 3 - Give the new GPO a name

Part 3 – Give the new GPO a name

This opens the Group Policy Manager, where you should search for the GPO that you just created, right-click on it (7) and select “Edit” (8).

Part 3 - Edit the GPO that you just created

Part 3 – Edit the GPO that you just created

You will now see the GPO editor, which will show the root folder with no elements selected.

Part 3 - View of the GPO editor

Part 3 – View of the GPO editor

At this point, you need to decide how you want to implement your GPO, and you have two options depending on whether your policy will apply to the device or the user:

  • Startup/Shutdown: To run the PowerShell script whenever the device starts up or shuts down, go to “Computer Settings > Policies > Windows Settings > Scripts (Startup/Shutdown)”.
  • Logon/Logoff: To run the PowerShell script whenever a user logs on or off, go to “User Settings > Policies > Windows Settings > Scripts (Logon/Logoff)”.

NOTE: For this tutorial, we’ll choose to run the script when the device starts up. You can also do this using a firewall-based setting by going to “Computer Settings > Policies > Windows Settings > Security Settings > Windows Defender Firewall”. 

For this tutorial, we are going to run the script on the server when it starts up. So, we’ll choose the first option, going to “Computer Settings > Policies > Windows Settings > Scripts (Startup/Shutdown)” (9). Next, right-click on “Startup” (10), select “Properties” and click on the “PowerShell Scripts” tab (11).

Part 3 - View of Properties: Startup window and the PowerShell Scripts tab

Part 3 – View of Properties: Startup window and the PowerShell Scripts tab

Lastly, click on “Add” (12) and enter the folder path (13) where your script is saved.

Part 3 - Add your firewall script

Part 3 – Add your firewall script

Everything should now be ready to go. You can check this by launching the Group Policy Management Console, searching for your GPO, checking its status and seeing whether it is linked to the script.

 

Conclusion

As you can see in this tutorial, configuring your firewalls using PowerShell scripts and GPOs is really very quick and simple. It’s very straightforward to create a small PowerShell script using basic commands, and this can then be used to apply settings to every server in your OU.

If you would like find out more about this topic, we recommend that you visit the section on Microsoft Learn dedicated to PowerShell commands for managing Windows Firewall.

We also recommend checking out the following tutorials,  where you will find additional information and some practical examples of what you can achieve with Group Policies:

Thanks for reading!

Categorias:Servidores