How to Configure Windows Firewall on Windows Server 2012 R2

Windows Firewall with Advanced Security (WFAS) is the host-based stateful packet filter built into Windows Server 2012 R2. Unlike its consumer counterpart, the server version includes full inbound and outbound rule management, connection security rules for IPsec, and fine-grained profile controls for Domain, Private, and Public network types. Properly configuring the Windows Firewall is a foundational security control for any Windows Server deployment.

This guide covers managing Windows Firewall through both the graphical console and PowerShell (version 4.0), including creating custom rules, managing rule groups, configuring profiles, and exporting configuration for documentation or redeployment.

Prerequisites

  • Local Administrator or Domain Administrator account.
  • PowerShell 4.0 (included with Windows Server 2012 R2).
  • Understanding of TCP/IP port numbers and protocols used by your applications.

Understanding Firewall Profiles

Windows Firewall applies rules based on the network profile assigned to each network adapter:

  • Domain Profile — applied when the server is joined to a domain and communicates with a domain controller. Usually the most permissive.
  • Private Profile — applied on trusted private networks where no domain is detected.
  • Public Profile — applied on untrusted networks. Should be the most restrictive, especially for internet-facing NICs.

A server with two NICs (e.g., one for management, one for production) may run different profiles simultaneously on each adapter.

Checking and Enabling Firewall Profiles via PowerShell

# View the current state of all three profiles
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

# Enable all profiles
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True

# Configure default actions (deny inbound, allow outbound)
Set-NetFirewallProfile -Profile Domain,Private,Public `
    -DefaultInboundAction Block `
    -DefaultOutboundAction Allow

# Enable logging for the Public profile
Set-NetFirewallProfile -Profile Public `
    -LogAllowed True `
    -LogBlocked True `
    -LogFileName "%SystemRoot%System32LogFilesFirewallpfirewall.log" `
    -LogMaxSizeKilobytes 4096

Creating Inbound Allow Rules

The most common firewall task is opening specific ports for services. The following examples cover the most frequently needed server roles:

# Allow inbound HTTP (TCP 80)
New-NetFirewallRule -DisplayName "Allow HTTP Inbound" `
    -Direction Inbound -Protocol TCP -LocalPort 80 `
    -Action Allow -Profile Domain,Private

# Allow inbound HTTPS (TCP 443)
New-NetFirewallRule -DisplayName "Allow HTTPS Inbound" `
    -Direction Inbound -Protocol TCP -LocalPort 443 `
    -Action Allow -Profile Domain,Private,Public

# Allow inbound SQL Server (TCP 1433) from specific subnet only
New-NetFirewallRule -DisplayName "Allow SQL Server from App Tier" `
    -Direction Inbound -Protocol TCP -LocalPort 1433 `
    -RemoteAddress 10.0.1.0/24 `
    -Action Allow -Profile Domain

# Allow inbound ICMP (ping) — echo requests
New-NetFirewallRule -DisplayName "Allow ICMPv4 Echo Request" `
    -Direction Inbound -Protocol ICMPv4 `
    -IcmpType 8 -Action Allow `
    -Profile Domain,Private

# Allow inbound SMB (TCP 445) from management network
New-NetFirewallRule -DisplayName "Allow SMB from Management" `
    -Direction Inbound -Protocol TCP -LocalPort 445 `
    -RemoteAddress 192.168.10.0/24 `
    -Action Allow -Profile Domain

Creating Outbound Block Rules

Outbound rules are particularly useful for preventing a compromised server from phoning home or exfiltrating data. The default outbound action is Allow, so you create Block rules for specific unwanted traffic:

# Block outbound Telnet (TCP 23)
New-NetFirewallRule -DisplayName "Block Outbound Telnet" `
    -Direction Outbound -Protocol TCP -RemotePort 23 `
    -Action Block -Profile Any

# Block outbound RPC endpoint mapper (TCP 135) to external
New-NetFirewallRule -DisplayName "Block Outbound RPC External" `
    -Direction Outbound -Protocol TCP -RemotePort 135 `
    -RemoteAddress Internet -Action Block `
    -Profile Public

# Block all outbound except specific ports (change default to block first)
Set-NetFirewallProfile -Profile Public -DefaultOutboundAction Block

New-NetFirewallRule -DisplayName "Allow Outbound HTTP Public" `
    -Direction Outbound -Protocol TCP -RemotePort 80 `
    -Action Allow -Profile Public

New-NetFirewallRule -DisplayName "Allow Outbound HTTPS Public" `
    -Direction Outbound -Protocol TCP -RemotePort 443 `
    -Action Allow -Profile Public

New-NetFirewallRule -DisplayName "Allow Outbound DNS Public" `
    -Direction Outbound -Protocol UDP -RemotePort 53 `
    -Action Allow -Profile Public

Managing Existing Rules

# List all enabled inbound rules
Get-NetFirewallRule -Direction Inbound -Enabled True | 
    Select-Object DisplayName, Action, Profile | Sort-Object DisplayName

# Find rules by port
Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -eq "3389" } | 
    Get-NetFirewallRule | Select-Object DisplayName, Enabled, Action

# Disable a rule without deleting it
Disable-NetFirewallRule -DisplayName "Allow HTTP Inbound"

# Enable a rule
Enable-NetFirewallRule -DisplayName "Allow HTTP Inbound"

# Delete a rule permanently
Remove-NetFirewallRule -DisplayName "Allow HTTP Inbound"

# Rename a rule
Rename-NetFirewallRule -NewDisplayName "Allow Web HTTP Inbound" `
    -DisplayName "Allow HTTP Inbound"

Working with Rule Groups

Windows pre-creates groups of related rules for common server roles. Managing groups is more efficient than managing individual rules when enabling or disabling an entire feature:

# List all available rule groups
Get-NetFirewallRule | Select-Object -Unique -ExpandProperty Group | Sort-Object

# Enable the File and Printer Sharing group
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

# Enable Windows Remote Management (WinRM/PowerShell Remoting)
Enable-NetFirewallRule -DisplayGroup "Windows Remote Management"

# Enable Performance Logs and Alerts
Enable-NetFirewallRule -DisplayGroup "Performance Logs and Alerts"

# Disable a group
Disable-NetFirewallRule -DisplayGroup "Routing and Remote Access"

Exporting and Importing Firewall Configuration

For documentation, backup, or deploying the same rules to multiple servers:

# Export current firewall policy to a file
netsh advfirewall export "C:Backupfirewall-policy.wfw"

# Import firewall policy from a file
netsh advfirewall import "C:Backupfirewall-policy.wfw"

# Export rules to CSV for documentation
Get-NetFirewallRule | Select-Object DisplayName, Direction, Action, Enabled, Profile |
    Export-Csv -Path "C:Auditfirewall-rules.csv" -NoTypeInformation

# Reset firewall to default settings (WARNING: removes all custom rules)
netsh advfirewall reset

Configuring IPsec Connection Security Rules

Connection security rules use IPsec to authenticate and optionally encrypt traffic between specific computers. This is useful for server-to-server communication on sensitive traffic paths:

# Create an IPsec rule requiring authentication between two servers
New-NetIPsecRule -DisplayName "Require Auth to DB Server" `
    -InboundSecurity Require -OutboundSecurity Request `
    -RemoteAddress 10.0.1.50

# View connection security rules
Get-NetIPsecRule | Select-Object DisplayName, InboundSecurity, OutboundSecurity

Verifying Firewall Configuration

# Show active firewall state for all profiles
netsh advfirewall show allprofiles

# Test that a port is blocked/allowed from an external machine
Test-NetConnection -ComputerName 192.168.1.10 -Port 80

# Show dropped packet statistics
netsh advfirewall monitor show firewall

# View the firewall log file (if logging enabled)
Get-Content "$env:SystemRootSystem32LogFilesFirewallpfirewall.log" -Tail 50

Summary

Windows Firewall with Advanced Security on Windows Server 2012 R2 provides a powerful, layered host-based firewall that every server should have properly configured. Key practices include: enabling all three profiles with Block as the default inbound action, creating explicit Allow rules only for ports your services actually use, restricting rules to specific remote address ranges wherever possible, enabling firewall logging for the public profile, and using rule groups to manage Windows role-related traffic efficiently. PowerShell’s NetSecurity module makes all of this fully scriptable and auditable, which is essential for maintaining consistent security posture across a fleet of Windows servers.