this guide is perfect for you manage-windows-firewall-powershell
Prevent Windows Server from exposing ports to Internet without my participation.
Hello everyone.
Perhaps my question is a very similar with that one: https://social.msdn.microsoft.com/Forums/en-US/ea31f8b6-2f92-4a26-af9b-b1ae31913663/how-to-prevent-automatic-creation-of-firewall-rules?forum=w7itprosecurity
But I can't believe that such security gap can exist.
I have a list of win servers with Internet faced interfaces. These hosts are not part of AD domain. So, how can I prevent regular exposing new port to the whole Internet when some application requires it?
I clearly understand how to achieve this with Domain Group Policy but it's not the case here. Also, for instance, it can be configured in 1 minute in Linux using iptables. But here I feel confused. I tried Local Group Policy but it only can add some rules to firewall and not overwrite them.
So, to sum up I need to be able set a list of Firewall rules somewhere and be sure that no new connection possible unless I manually (or using some automation) edit this list. List can be individual for each server. It's distribution is another task. But it should be a single source for rules on host.
Thank you in advance!
1 additional answer
Sort by: Most helpful
-
Limitless Technology 39,371 Reputation points
2021-10-01T17:55:38.077+00:00 Hello @Alexander Lyukov
You are right, and the thread may be outdated due to older ADMX sets.
Basically you can lock the Firewall settings with the policies in:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\
There are two settings you want to set to disabled: "Windows Firewall: Allow local port exceptions" and Windows "Firewall: Allow local program exceptions"After that nothing and no one will be able to apply changes to Windows Firewall trhough the API, but instead through GPO:
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object
*Note that his will be the only rules to take effect in your systems.Hope this helps with your query,
--------------
--If the reply is helpful, please Upvote and Accept as answer--