How to Configure Windows Firewall with Advanced Security on Windows Server 2025

How to Configure Windows Firewall with Advanced Security on Windows Server 2025

Windows Defender Firewall with Advanced Security (WFAS) is one of the most critical security controls available on Windows Server 2025. Unlike the simplified firewall interface available in Control Panel, WFAS exposes the full depth of Windows Filtering Platform capabilities — including granular inbound and outbound rule management, rule profiling across Domain, Private, and Public network categories, connection security rules using IPsec, and full scriptability through PowerShell. Whether you are hardening an exposed web server, locking down lateral movement between workloads in your datacenter, or enforcing authenticated encryption between hosts, mastering WFAS is essential for any Windows Server 2025 administrator. This tutorial covers both the GUI approach and the preferred PowerShell-first workflow.

Prerequisites

• A Windows Server 2025 instance (Standard or Datacenter edition)
• Administrator or Domain Admin privileges
• PowerShell 7.x or Windows PowerShell 5.1 (both pre-installed on Windows Server 2025)
• Basic familiarity with TCP/IP networking concepts (ports, protocols, CIDRs)
• For Group Policy deployment: an Active Directory domain and a Domain Controller

Step 1: Open Windows Defender Firewall with Advanced Security

There are several ways to open the WFAS console. The fastest GUI method is to run wf.msc from a Run dialog or PowerShell prompt. Alternatively, open Server Manager, navigate to Tools, and select Windows Defender Firewall with Advanced Security.

From PowerShell, you can inspect the current firewall state immediately:

# View the current profile states (Domain, Private, Public)
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

You should see output showing all three profiles. On a fresh Windows Server 2025 installation, inbound connections are blocked by default and outbound connections are allowed. This is the correct baseline — never change the default outbound action to Block without first inventorying every outbound connection your services require.

Step 2: Create Inbound Firewall Rules with PowerShell

The New-NetFirewallRule cmdlet is the PowerShell equivalent of the “New Rule” wizard in the WFAS GUI. It accepts a rich parameter set. The following example creates an inbound rule to allow HTTPS traffic on TCP port 443:

# Allow inbound HTTPS from any source
New-NetFirewallRule `
  -DisplayName "Allow Inbound HTTPS" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 443 `
  -Action Allow `
  -Profile Domain,Private `
  -Enabled True `
  -Description "Permits inbound TLS/HTTPS connections on port 443"

To restrict by source IP range — useful for management ports — add the -RemoteAddress parameter:

# Allow RDP only from the management subnet
New-NetFirewallRule `
  -DisplayName "Allow RDP from Management Network" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 3389 `
  -RemoteAddress "10.10.0.0/24" `
  -Action Allow `
  -Profile Domain `
  -Enabled True

For outbound rules, simply switch -Direction to Outbound. Outbound rules are important in zero-trust architectures where you want to prevent a compromised server from beaconing out to unknown destinations.

# Block outbound SMTP from this server (prevents spam relay if compromised)
New-NetFirewallRule `
  -DisplayName "Block Outbound SMTP" `
  -Direction Outbound `
  -Protocol TCP `
  -RemotePort 25 `
  -Action Block `
  -Profile Any `
  -Enabled True

Step 3: Query and Audit Existing Firewall Rules

Use Get-NetFirewallRule to enumerate rules. The output can be verbose; filter aggressively:

# List all enabled inbound Allow rules
Get-NetFirewallRule -Direction Inbound -Action Allow -Enabled True |
  Select-Object DisplayName, Profile, @{N="Ports";E={(Get-NetFirewallPortFilter -AssociatedNetFirewallRule $_).LocalPort}} |
  Format-Table -AutoSize

# Find rules matching a name pattern
Get-NetFirewallRule -DisplayName "*RDP*" | Format-List DisplayName, Direction, Action, Enabled, Profile

To see the full associated filter detail (port, address, application) for a rule, pipe to the appropriate filter cmdlets:

$rule = Get-NetFirewallRule -DisplayName "Allow RDP from Management Network"
$rule | Get-NetFirewallAddressFilter
$rule | Get-NetFirewallPortFilter
$rule | Get-NetFirewallApplicationFilter

Step 4: Modify Existing Rules with Set-NetFirewallRule

Rather than deleting and recreating rules, use Set-NetFirewallRule to update properties in place. This preserves the rule’s GUID, which is important when rules are referenced by Group Policy:

# Disable a rule temporarily without deleting it
Set-NetFirewallRule -DisplayName "Allow Inbound HTTPS" -Enabled False

# Re-enable it
Set-NetFirewallRule -DisplayName "Allow Inbound HTTPS" -Enabled True

# Expand an existing rule to also allow the Public profile
Set-NetFirewallRule -DisplayName "Allow Inbound HTTPS" -Profile Domain,Private,Public

# Update the remote address filter on an existing rule
Set-NetFirewallRule -DisplayName "Allow RDP from Management Network" -RemoteAddress "10.10.0.0/23"

Step 5: Remove Rules

Use Remove-NetFirewallRule with caution. Always confirm what you are about to delete by running Get-NetFirewallRule first with the same filter criteria:

# Preview what will be deleted
Get-NetFirewallRule -DisplayName "Block Outbound SMTP"

# Delete a specific rule by display name
Remove-NetFirewallRule -DisplayName "Block Outbound SMTP"

# Delete all disabled rules (use with extreme caution — preview first)
Get-NetFirewallRule -Enabled False | Remove-NetFirewallRule -WhatIf

Step 6: Work with Rule Profiles (Domain, Private, Public)

Windows assigns each network adapter to a profile. In an enterprise, wired connections typically receive the Domain profile (when domain authentication is detected), while Wi-Fi or untrusted networks receive Private or Public. Rules can be scoped to one, two, or all three profiles:

# View current adapter profiles
Get-NetConnectionProfile | Select-Object InterfaceAlias, NetworkCategory, IPv4Connectivity

# Change a profile (useful on servers that need to be in Domain profile manually)
Set-NetConnectionProfile -InterfaceAlias "Ethernet0" -NetworkCategory DomainAuthenticated

Most server rules should target the Domain profile. Rules targeting Public should be extremely restrictive since a public-profile adapter is considered untrusted.

Step 7: Configure Connection Security Rules (IPsec)

Connection security rules enforce IPsec authentication and/or encryption between hosts — independent of allow/block rules. They are configured under Connection Security Rules in the WFAS GUI, or via New-NetIPsecRule in PowerShell:

# Require authentication (Kerberos) between two servers but do not block unauthenticated
New-NetIPsecRule `
  -DisplayName "Require Auth - App to DB" `
  -InboundSecurity Require `
  -OutboundSecurity Request `
  -RemoteAddress "10.10.1.50" `
  -Phase1AuthSet (Get-NetIPsecPhase1AuthSet -PolicyStore ActiveStore | Where-Object {$_.Name -like "*Kerberos*"}).Name

# View existing IPsec rules
Get-NetIPsecRule | Select-Object DisplayName, InboundSecurity, OutboundSecurity, Enabled

Step 8: Export and Import Firewall Rules

For backup and migration, use netsh advfirewall to export and import the complete firewall policy as a binary .wfw file:

# Export all firewall rules and settings to a file
netsh advfirewall export "C:FirewallServerPolicy.wfw"

# Import firewall rules on another server (replaces existing policy)
netsh advfirewall import "C:FirewallServerPolicy.wfw"

# Reset to default (emergency rollback — use carefully)
netsh advfirewall reset

For a more selective PowerShell-based export (rules only, as objects), you can serialize to JSON:

Get-NetFirewallRule | ConvertTo-Json -Depth 5 | Out-File "C:Firewallrules-export.json"

Step 9: Deploy Rules via Group Policy

In a domain environment, the most scalable approach is to configure WFAS rules through Group Policy Objects (GPOs). Open Group Policy Management Console, create or edit a GPO, and navigate to:

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security

You can also push firewall rules via PowerShell targeting the Group Policy store directly:

# Create a rule in the Group Policy store rather than the local store
New-NetFirewallRule `
  -DisplayName "Allow SQL Server from App Tier" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 1433 `
  -RemoteAddress "10.10.2.0/24" `
  -Action Allow `
  -PolicyStore "contoso.localServerFirewallPolicy"

Step 10: Enable Predefined Rules

Windows Server 2025 ships with hundreds of predefined rules for built-in services and roles. Enable them by name rather than recreating them:

# Enable all predefined rules for Remote Desktop
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Enable predefined rules for File and Printer Sharing
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

# List all available predefined groups
Get-NetFirewallRule | Select-Object -ExpandProperty DisplayGroup | Sort-Object -Unique

Conclusion

Windows Defender Firewall with Advanced Security on Windows Server 2025 is a powerful, layered security control that goes far beyond simple port blocking. By combining PowerShell cmdlets like New-NetFirewallRule, Get-NetFirewallRule, Set-NetFirewallRule, and Remove-NetFirewallRule with profile-aware rules, IPsec connection security, and Group Policy deployment, you can build a defense-in-depth posture that limits blast radius in the event of a breach. Treat your firewall configuration as code: export it regularly, version-control it, and deploy it consistently across your server fleet via GPO or PowerShell DSC. The default deny-inbound posture of WFAS is your most valuable baseline — every rule you add is an explicit decision, and those decisions should be documented and reviewed periodically.