How to Configure Windows Firewall Advanced Security via GPO on Windows Server 2012 R2
Windows Firewall with Advanced Security (WFAS) provides stateful packet inspection, inbound and outbound filtering, IPsec integration, and connection security rules. When managed via Group Policy, WFAS delivers consistent firewall configuration across all servers in the domain without requiring local administrator intervention on each machine. This guide covers creating and deploying a comprehensive firewall policy via GPO, including profile settings, inbound rules for server roles, outbound restrictions, and monitoring.
Prerequisites
- Domain environment with GPMC access
- Windows Server 2012 R2 target servers with the Windows Firewall service running
- An inventory of required inbound ports for each server role being protected
- A test server where you will validate the policy before rolling out to production
Step 1: Understand WFAS Profile Application
WFAS applies rules based on the network location profile of each network adapter:
- Domain profile — Applied when the server can communicate with its domain controller. This is the profile used by domain-joined servers in normal operation.
- Private profile — Applied when the network is marked as Private (home/small office).
- Public profile — Applied to all other networks. Should be the most restrictive.
For server hardening, configure the Domain profile for normal operation and the Public profile with maximum restrictions as a fallback.
Step 2: Create a WFAS GPO
Create a GPO named WFAS-Servers-Baseline and navigate to:
Computer Configuration → Windows Settings → Security Settings → Windows Firewall with Advanced Security
Right-click Windows Firewall with Advanced Security → Windows Firewall Properties:
Step 3: Configure Firewall Profile Defaults
Configure default behavior for each profile. For the Domain profile:
- Firewall state: On (recommended)
- Inbound connections: Block (default)
- Outbound connections: Allow (default) — restrict only if your security policy requires outbound filtering
- Protected network connections: All connections
- Display notifications: No (server GUI is not monitored in most cases)
- Logging: Yes, log dropped packets and successful connections
- Log file path:
%systemroot%system32LogFilesFirewallpfirewall.log - Log file size limit: 16384 KB
Apply the same settings to the Private and Public profiles, with Public also having Block outbound as the default for maximum security.
Step 4: Create Inbound Rules for Common Server Roles
Add inbound allow rules for the specific ports required by each server role. Create rules via GPO → Windows Firewall → Inbound Rules → New Rule:
# Create rules via PowerShell on the GPO-managed server (or use GPO editor directly)
# Remote Desktop (RDP) - restrict to management network only
New-NetFirewallRule `
-DisplayName "Allow RDP from Management Network" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 3389 `
-RemoteAddress "10.0.100.0/24" `
-Action Allow `
-Profile Domain `
-Description "Allow RDP from management VLAN only"
# WinRM (PowerShell remoting) - management network only
New-NetFirewallRule `
-DisplayName "Allow WinRM from Management Network" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 5985,5986 `
-RemoteAddress "10.0.100.0/24" `
-Action Allow `
-Profile Domain
# SMB (File sharing) - internal network only
New-NetFirewallRule `
-DisplayName "Allow SMB - Internal" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 445 `
-RemoteAddress "10.0.0.0/8" `
-Action Allow `
-Profile Domain
# HTTP/HTTPS (Web servers only)
New-NetFirewallRule `
-DisplayName "Allow HTTP Inbound" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 80 `
-Action Allow `
-Profile Domain
New-NetFirewallRule `
-DisplayName "Allow HTTPS Inbound" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-Action Allow `
-Profile DomainStep 5: Create Outbound Restrictions
For high-security servers, restrict outbound connections to only what is required:
# Allow DNS outbound (required for all servers)
New-NetFirewallRule `
-DisplayName "Allow DNS Outbound" `
-Direction Outbound `
-Protocol UDP `
-RemotePort 53 `
-Action Allow `
-Profile Domain
# Allow HTTPS outbound (Windows Update, activation)
New-NetFirewallRule `
-DisplayName "Allow HTTPS Outbound" `
-Direction Outbound `
-Protocol TCP `
-RemotePort 443 `
-Action Allow `
-Profile Domain
# Allow Kerberos outbound (required for AD authentication)
New-NetFirewallRule `
-DisplayName "Allow Kerberos Outbound" `
-Direction Outbound `
-Protocol TCP `
-RemotePort 88 `
-Action Allow `
-Profile Domain
# Block all other outbound (set profile default outbound to Block first)
Set-NetFirewallProfile -Profile Domain -DefaultOutboundAction BlockStep 6: Export Rules to GPO via Group Policy Management
Rules created locally can be exported and imported into a GPO for domain-wide deployment:
# Export local firewall policy
netsh advfirewall export "C:Firewall-BaselineFirewallPolicy.wfw"
# Import into GPO via Group Policy Management:
# The .wfw file can be imported in GPMC:
# GPO → Windows Firewall with Advanced Security → right-click → Import Policy
# Or copy rules using the GPO editor directly by right-clicking "Inbound Rules"
# and creating new rules matching the PowerShell rules aboveStep 7: Configure IPsec Integration in WFAS
WFAS integrates with IPsec for connection authentication. Configure the global IPsec settings:
In the WFAS GPO → Windows Firewall with Advanced Security → Properties → IPsec Settings tab:
- Key exchange (Main Mode): Advanced → customize to use DH14 or DH21
- Data protection (Quick Mode): Advanced → AES-256, ESP mode
- Authentication method: Computer and User (Kerberos V5) for domain environments
Step 8: Apply and Verify the GPO
Link the GPO to the target OU and verify:
New-GPLink -Name "WFAS-Servers-Baseline" `
-Target "OU=Servers,DC=corp,DC=example,DC=com" `
-Enforced Yes
# Force GPO refresh on target servers
Invoke-GPUpdate -Computer "SERVER01" -Force
# Verify firewall policy is applied
gpresult /r /scope computer | Select-String "WFAS"
# Check applied firewall rules on target server
Get-NetFirewallRule | Where-Object { $_.DisplayName -match "Allow" } |
Select-Object DisplayName, Direction, Action, EnabledStep 9: Monitor Firewall Logs
Review the firewall log file for dropped connections that may indicate blocked legitimate traffic or attack attempts:
# Read the firewall log
Get-Content "C:WindowsSystem32LogFilesFirewallpfirewall.log" |
Select-Object -Last 100
# Search for blocked inbound connections to port 3389 (RDP) from unexpected IPs
Get-Content "C:WindowsSystem32LogFilesFirewallpfirewall.log" |
Where-Object { $_ -match "DROP.*3389" } |
Select-Object -Last 20Summary
Deploying Windows Firewall with Advanced Security via Group Policy ensures consistent, centrally managed firewall rules across all Windows Server 2012 R2 systems in your domain. By setting secure defaults for each profile (block inbound by default, log all dropped packets), creating specific allow rules for required server roles, restricting management traffic to dedicated management subnets, and monitoring the firewall log, you have implemented host-based firewall protection that complements network-level perimeter security. The GPO deployment model ensures that rules cannot be overridden locally and that new servers automatically receive the baseline configuration upon domain joining.
