How to Configure Windows Firewall on Windows Server 2016

April 8, 2026
Tutorials
Comment off

How to Set Up Windows Server 2016 Windows Firewall

Windows Firewall with Advanced Security is a host-based firewall built into Windows Server 2016. It provides bi-directional traffic filtering, connection security rules, and integration with IPsec. Properly configuring the firewall is essential for securing your server against unauthorized access while allowing legitimate traffic to pass. This guide covers enabling the firewall, creating inbound and outbound rules, managing rule groups, and using PowerShell for automation.

Step 1: Check Windows Firewall Status

Before making changes, check the current state of the firewall across all three network profiles: Domain, Private, and Public.

# Check the status of all firewall profiles
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

# Detailed profile settings
Get-NetFirewallProfile -Profile Domain | Format-List
Get-NetFirewallProfile -Profile Private | Format-List
Get-NetFirewallProfile -Profile Public | Format-List

Step 2: Enable or Disable the Firewall

Enable the Windows Firewall for all profiles. This should always be enabled on production servers:

# Enable firewall for all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True

# Set default actions: block inbound, allow outbound
Set-NetFirewallProfile -Profile Domain,Private,Public `
    -DefaultInboundAction Block `
    -DefaultOutboundAction Allow

# Allow exceptions defined by rules (recommended)
Set-NetFirewallProfile -Profile Domain -NotifyOnListen True

Step 3: View Existing Firewall Rules

Windows Server 2016 ships with hundreds of predefined firewall rules. Review the currently enabled inbound rules:

# List all enabled inbound rules
Get-NetFirewallRule -Direction Inbound -Enabled True | Select-Object DisplayName, Profile, Action

# List all enabled outbound rules
Get-NetFirewallRule -Direction Outbound -Enabled True | Select-Object DisplayName, Profile, Action

# Search for a specific rule by name
Get-NetFirewallRule -DisplayName "*Remote Desktop*"

# Show rule details including ports
Get-NetFirewallRule -DisplayName "World Wide Web Services (HTTP Traffic-In)" | Get-NetFirewallPortFilter

Step 4: Create an Inbound Rule to Allow a Specific Port

Create custom rules to allow specific TCP or UDP ports. For example, to allow HTTPS traffic (port 443):

# Allow inbound HTTPS (TCP 443) on all profiles
New-NetFirewallRule `
    -DisplayName "Allow Inbound HTTPS" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 443 `
    -Action Allow `
    -Profile Domain,Private,Public `
    -Description "Allow inbound HTTPS traffic"

# Allow a custom application port (e.g., 8080)
New-NetFirewallRule `
    -DisplayName "Allow App Port 8080" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 8080 `
    -Action Allow `
    -Profile Domain,Private

Step 5: Create a Rule to Block an IP Address

Block inbound traffic from a specific IP address or subnet that is known to be malicious or unauthorized:

# Block all inbound traffic from a specific IP address
New-NetFirewallRule `
    -DisplayName "Block Malicious IP 10.0.0.50" `
    -Direction Inbound `
    -RemoteAddress 10.0.0.50 `
    -Action Block `
    -Profile Domain,Private,Public

# Block an entire subnet
New-NetFirewallRule `
    -DisplayName "Block Subnet 203.0.113.0/24" `
    -Direction Inbound `
    -RemoteAddress 203.0.113.0/24 `
    -Action Block `
    -Profile Domain,Private,Public

Step 6: Create an Outbound Rule

Although the default outbound policy allows all traffic, you may need to restrict outbound connections from a server. For example, to prevent the server from connecting to external SMTP servers:

# Block outbound SMTP to all external addresses (allow only to internal relay)
New-NetFirewallRule `
    -DisplayName "Block Outbound External SMTP" `
    -Direction Outbound `
    -Protocol TCP `
    -RemotePort 25 `
    -Action Block `
    -Profile Domain,Private,Public

# Allow outbound SMTP only to your internal mail relay
New-NetFirewallRule `
    -DisplayName "Allow Outbound SMTP to Relay" `
    -Direction Outbound `
    -Protocol TCP `
    -RemoteAddress 192.168.1.20 `
    -RemotePort 25 `
    -Action Allow `
    -Profile Domain,Private

Step 7: Enable or Disable Rule Groups

Windows Firewall organizes rules into named groups. You can enable or disable an entire group at once:

# Enable the File and Printer Sharing rule group
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

# Enable Windows Remote Management
Enable-NetFirewallRule -DisplayGroup "Windows Remote Management"

# Disable a group (e.g., Remote Assistance)
Disable-NetFirewallRule -DisplayGroup "Remote Assistance"

# List all rule groups
Get-NetFirewallRule | Select-Object -Property DisplayGroup -Unique | Sort-Object DisplayGroup

Step 8: Restrict RDP Access to a Specific IP Range

Restrict Remote Desktop access to only trusted management IP addresses to reduce attack surface:

# First disable the default broad RDP rule
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Create a new rule allowing RDP only from the management network
New-NetFirewallRule `
    -DisplayName "Allow RDP from Management Network" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 3389 `
    -RemoteAddress 192.168.10.0/24 `
    -Action Allow `
    -Profile Domain,Private

Step 9: Export and Import Firewall Rules

Export your firewall configuration to back it up or deploy it to other servers:

# Export all firewall rules to a policy file
netsh advfirewall export "C:Backupfirewallpolicy.wfw"

# Import firewall rules on another server
netsh advfirewall import "C:Backupfirewallpolicy.wfw"

# Reset firewall to default settings (use with caution)
netsh advfirewall reset

Step 10: View Firewall Logs

Enable and review firewall logs to monitor dropped packets and blocked connection attempts:

# Enable firewall logging for the Domain profile (dropped packets and allowed connections)
Set-NetFirewallProfile -Profile Domain `
    -LogFileName "C:WindowsSystem32LogFilesFirewallpfirewall.log" `
    -LogMaxSizeKilobytes 4096 `
    -LogBlocked True `
    -LogAllowed True

# View recent firewall log entries
Get-Content "C:WindowsSystem32LogFilesFirewallpfirewall.log" -Tail 50

# Enable logging for all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -LogBlocked True

Windows Firewall with Advanced Security is a powerful tool that, when properly configured, significantly reduces the attack surface of Windows Server 2016. Regularly review your firewall rules, remove rules that are no longer needed, and audit the logs for suspicious activity. Combine host-based firewall rules with network-level controls for defense-in-depth security.