question

AlexanderLyukov-4794 avatar image
0 Votes"
AlexanderLyukov-4794 asked LimitlessTechnology-2700 answered

Prevent Windows Server from exposing ports to Internet without my participation.

Hello everyone.
Perhaps my question is a very similar with that one: https://social.msdn.microsoft.com/Forums/en-US/ea31f8b6-2f92-4a26-af9b-b1ae31913663/how-to-prevent-automatic-creation-of-firewall-rules?forum=w7itprosecurity

But I can't believe that such security gap can exist.

I have a list of win servers with Internet faced interfaces. These hosts are not part of AD domain. So, how can I prevent regular exposing new port to the whole Internet when some application requires it?

I clearly understand how to achieve this with Domain Group Policy but it's not the case here. Also, for instance, it can be configured in 1 minute in Linux using iptables. But here I feel confused. I tried Local Group Policy but it only can add some rules to firewall and not overwrite them.

So, to sum up I need to be able set a list of Firewall rules somewhere and be sure that no new connection possible unless I manually (or using some automation) edit this list. List can be individual for each server. It's distribution is another task. But it should be a single source for rules on host.

Thank you in advance!

windows-serverwindows-server-security
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mschiavon avatar image
0 Votes"
mschiavon answered AlexanderLyukov-4794 edited

this guide is perfect for you manage-windows-firewall-powershell


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I created a simple PS script which removes any FW rules without predefined preffix and triggers on 4946 event (creation of new rule) .

 Get-NetFirewallRule -Action Allow -Enabled True -Direction Inbound | where {$_.Displayname -notlike "prefffix_*"} | Remove-NetFirewallRule

Now it works, thank you!

0 Votes 0 ·
LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @AlexanderLyukov-4794

You are right, and the thread may be outdated due to older ADMX sets.

Basically you can lock the Firewall settings with the policies in:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\
There are two settings you want to set to disabled: "Windows Firewall: Allow local port exceptions" and Windows "Firewall: Allow local program exceptions"

After that nothing and no one will be able to apply changes to Windows Firewall trhough the API, but instead through GPO:
Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - Local Group Policy Object
*Note that his will be the only rules to take effect in your systems.

Hope this helps with your query,


--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.