Designing a Windows Defender Firewall with Advanced Security Strategy

Applies to

  • Windows 10
  • Windows 11
  • Windows Server 2016 and above

To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.

The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design.

  • What traffic must always be allowed? What are characteristics of the network traffic generated and consumed by the business programs?

  • What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs?

  • What traffic on the network cannot be protected by IPsec because the devices or devices sending or receiving the traffic do not support IPsec?

  • For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required?

  • Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use.

  • Which devices must be able to accept unsolicited inbound connections from devices that are not part of the domain?

  • Which devices contain data that must be encrypted when exchanged with another computer?

  • Which devices contain sensitive data to which access must be restricted to specifically authorized users and devices?

  • Does your organization have specific network troubleshooting devices or devices (such as protocol analyzers) that must be granted unlimited access to the devices on the network, essentially bypassing the firewall?

This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section Planning Group Policy Deployment for Your Isolation Zones later in this guide.

Next: Gathering the Information You Need