How to Configure Windows Server 2019 Firewall

How to Configure Windows Server 2019 Firewall

Windows Defender Firewall with Advanced Security (WFAS) on Windows Server 2019 is a host-based stateful packet filter that protects the server from unauthorized network access. It supports inbound and outbound filtering, connection security rules using IPsec, and profile-based policies for Domain, Private, and Public network locations. Properly configuring the firewall is a critical security task that should be completed before placing any server on a production network.

Understanding Firewall Profiles

Windows Firewall applies different rule sets based on the active network profile. The Domain profile applies when the server is connected to a network containing an Active Directory domain controller. The Private profile applies to trusted private networks such as a home or office network not in a domain. The Public profile is the most restrictive and applies when connected to public networks. On servers joined to a domain, the Domain profile is typically active and most relevant.

# Check the status of all firewall profiles
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

# Verify which profile is currently active
Get-NetConnectionProfile

Enabling and Configuring Firewall Profiles

Ensure Windows Firewall is enabled for all profiles. A common security mistake is disabling the firewall to resolve a connectivity issue and never re-enabling it:

# Enable firewall for all profiles
Set-NetFirewallProfile -Profile Domain, Private, Public -Enabled True

# Set default inbound action to Block and outbound to Allow
Set-NetFirewallProfile -Profile Domain -DefaultInboundAction Block -DefaultOutboundAction Allow
Set-NetFirewallProfile -Profile Private -DefaultInboundAction Block -DefaultOutboundAction Allow
Set-NetFirewallProfile -Profile Public -DefaultInboundAction Block -DefaultOutboundAction Allow

# Configure logging for dropped packets (useful for troubleshooting)
Set-NetFirewallProfile -Profile Domain `
    -LogAllowed True `
    -LogBlocked True `
    -LogFileName "%systemroot%system32LogFilesFirewallpfirewall.log" `
    -LogMaxSizeKilobytes 32767

Creating Inbound Firewall Rules

Inbound rules control traffic coming into the server. Create rules only for the services the server provides. Avoid creating overly broad rules:

# Allow HTTPS (TCP 443) from any source
New-NetFirewallRule `
    -DisplayName "Allow HTTPS Inbound" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 443 `
    -Action Allow `
    -Profile Domain, Private

# Allow HTTP (TCP 80) from internal subnets only
New-NetFirewallRule `
    -DisplayName "Allow HTTP from Internal" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 80 `
    -RemoteAddress 192.168.0.0/16 `
    -Action Allow `
    -Profile Domain

# Allow RDP (TCP 3389) from specific admin workstations only
New-NetFirewallRule `
    -DisplayName "Allow RDP from Admin Hosts" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 3389 `
    -RemoteAddress 192.168.1.50, 192.168.1.51 `
    -Action Allow `
    -Profile Domain

# Allow ICMP (ping) for troubleshooting
New-NetFirewallRule `
    -DisplayName "Allow ICMPv4 Echo Request" `
    -Protocol ICMPv4 `
    -IcmpType 8 `
    -Direction Inbound `
    -Action Allow `
    -Profile Domain, Private

# Allow DNS queries (if this is a DNS server)
New-NetFirewallRule `
    -DisplayName "Allow DNS UDP Inbound" `
    -Direction Inbound `
    -Protocol UDP `
    -LocalPort 53 `
    -Action Allow `
    -Profile Domain

New-NetFirewallRule `
    -DisplayName "Allow DNS TCP Inbound" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 53 `
    -Action Allow `
    -Profile Domain

Creating Outbound Firewall Rules

By default, Windows Firewall allows all outbound traffic. In high-security environments, restrict outbound traffic to only what is necessary. This requires significant planning but greatly limits the ability of malware to communicate with external command-and-control servers:

# Block all outbound except explicitly allowed (high-security mode)
Set-NetFirewallProfile -Profile Domain -DefaultOutboundAction Block

# Allow outbound DNS
New-NetFirewallRule `
    -DisplayName "Allow Outbound DNS" `
    -Direction Outbound `
    -Protocol UDP `
    -RemotePort 53 `
    -Action Allow

# Allow outbound HTTPS
New-NetFirewallRule `
    -DisplayName "Allow Outbound HTTPS" `
    -Direction Outbound `
    -Protocol TCP `
    -RemotePort 443 `
    -Action Allow

# Allow outbound HTTP (for Windows Update)
New-NetFirewallRule `
    -DisplayName "Allow Outbound HTTP" `
    -Direction Outbound `
    -Protocol TCP `
    -RemotePort 80 `
    -Action Allow

# Allow outbound Kerberos (for domain authentication)
New-NetFirewallRule `
    -DisplayName "Allow Outbound Kerberos" `
    -Direction Outbound `
    -Protocol TCP `
    -RemotePort 88 `
    -Action Allow

New-NetFirewallRule `
    -DisplayName "Allow Outbound Kerberos UDP" `
    -Direction Outbound `
    -Protocol UDP `
    -RemotePort 88 `
    -Action Allow

Managing Built-In Firewall Rules

Windows Server 2019 ships with hundreds of pre-defined firewall rules for common Windows services. Many are disabled by default. Enable them as needed rather than creating duplicate rules:

# List all built-in rules (disabled)
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "False"} | Select-Object DisplayName, Direction | Sort-Object Direction

# Enable the built-in Remote Desktop rules
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Enable built-in Windows Remote Management rules
Enable-NetFirewallRule -DisplayGroup "Windows Remote Management"

# Enable built-in File and Printer Sharing rules
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

# Disable a rule by name
Disable-NetFirewallRule -DisplayName "Routing and Remote Access (PPTP-In)"

# List all enabled inbound rules
Get-NetFirewallRule -Direction Inbound -Enabled True | Select-Object DisplayName, Action | Sort-Object DisplayName

Configuring Connection Security Rules (IPsec)

Connection Security Rules use IPsec to authenticate and/or encrypt traffic between two endpoints. This is used for server isolation, requiring authenticated connections before allowing communication:

# Require authentication for all connections from specific subnet
New-NetIPsecRule `
    -DisplayName "Require Auth from Internal Clients" `
    -InboundSecurity Require `
    -OutboundSecurity Request `
    -LocalAddress Any `
    -RemoteAddress 192.168.1.0/24

# Create an isolation rule requiring domain membership
New-NetFirewallRule `
    -DisplayName "Require Authentication for Management" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 22,5985,5986 `
    -Authentication Required `
    -Action Allow

Deploying Firewall Rules via Group Policy

For consistent firewall configuration across many servers, deploy rules using Group Policy. This ensures rules are applied automatically when servers join the domain and cannot be overridden by local changes:

# On a domain controller, create and link a GPO
Import-Module GroupPolicy

$GPO = New-GPO -Name "Server Firewall Policy" `
    -Comment "Baseline firewall rules for all member servers"

# Link the GPO to the Servers OU
New-GPLink -Name "Server Firewall Policy" `
    -Target "OU=Servers,DC=corp,DC=example,DC=com"

# Configure firewall settings in the GPO
# (Use Group Policy Management Editor for detailed configuration,
#  or use PowerShell with LGPO.exe for scripted GPO editing)

Monitoring and Troubleshooting the Firewall

Use firewall logging and diagnostic tools to identify connectivity issues and blocked traffic:

# View the firewall log
Get-Content "$env:SystemRootSystem32LogFilesFirewallpfirewall.log" | Select-Object -Last 50

# Test connectivity and see if firewall is blocking
Test-NetConnection -ComputerName 192.168.1.20 -Port 443

# Check which rules match a specific port
Get-NetFirewallPortFilter | Where-Object {$_.LocalPort -eq 443}

# Show all firewall rules affecting a specific port
Get-NetFirewallRule -Direction Inbound -Enabled True | `
    Get-NetFirewallPortFilter | `
    Where-Object {$_.LocalPort -eq "3389" -or $_.LocalPort -eq "Any"} | `
    ForEach-Object {
        $rule = Get-NetFirewallRule -AssociatedNetFirewallPortFilter $_
        [PSCustomObject]@{
            Name = $rule.DisplayName
            Action = $rule.Action
            Profile = $rule.Profile
        }
    }

# Export all firewall rules for documentation
Get-NetFirewallRule | Export-Csv "C:TempFirewallRules.csv" -NoTypeInformation

Maintaining a disciplined firewall configuration requires an ongoing process: review rules regularly, remove rules that are no longer needed, audit for overly permissive rules, and document all changes. The Windows Defender Firewall, when properly configured, is an effective defense-in-depth layer that limits lateral movement and reduces the attack surface of your Windows Server 2019 environment.