This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 68%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Hello everyone.
Perhaps my question is a very similar with that one: https://social.msdn.microsoft.com/Forums/en-US/ea31f8b6-2f92-4a26-af9b-b1ae31913663/how-to-prevent-automatic-creation-of-firewall-rules?forum=w7itprosecurity
But I can't believe that such security gap can exist.
I have a list of win servers with Internet faced interfaces. These hosts are not part of AD domain. So, how can I prevent regular exposing new port to the whole Internet when some application requires it?
I clearly understand how to achieve this with Domain Group Policy but it's not the case here. Also, for instance, it can be configured in 1 minute in Linux using iptables. But here I feel confused. I tried Local Group Policy but it only can add some rules to firewall and not overwrite them.
So, to sum up I need to be able set a list of Firewall rules somewhere and be sure that no new connection possible unless I manually (or using some automation) edit this list. List can be individual for each server. It's distribution is another task. But it should be a single source for rules on host.
Thank you in advance!
this guide is perfect for you manage-windows-firewall-powershell
I created a simple PS script which removes any FW rules without predefined preffix and triggers on 4946 event (creation of new rule) .
Get-NetFirewallRule -Action Allow -Enabled True -Direction Inbound | where {$_.Displayname -notlike "prefffix_*"} | Remove-NetFirewallRule
Now it works, thank you!
Hello @Alexander Lyukov
You are right, and the thread may be outdated due to older ADMX sets.
Basically you can lock the Firewall settings with the policies in:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\
There are two settings you want to set to disabled: "Windows Firewall: Allow local port exceptions" and Windows "Firewall: Allow local program exceptions"
After that nothing and no one will be able to apply changes to Windows Firewall trhough the API, but instead through GPO:
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object
*Note that his will be the only rules to take effect in your systems.
Hope this helps with your query,
--------------
--If the reply is helpful, please Upvote and Accept as answer--