Home / Server / Windows Server / How to Configure Windows Server Firewall Rules

How to Configure Windows Server Firewall Rules

Table of Contents

Windows Server Firewall blocks inbound and outbound connections by default unless a rule explicitly allows them. Knowing how to create, view, and manage firewall rules is essential for both security hardening and troubleshooting connectivity issues. Here is how to work with Windows Server firewall rules.

Open the Firewall Management Console

The full firewall management interface: press Win + R and type wf.msc. This opens Windows Defender Firewall with Advanced Security — the complete GUI for managing inbound and outbound rules, connection security rules, and profiles.

For a simpler view, go to Control Panel → Windows Defender Firewall — sufficient for enabling/disabling the firewall and checking the current profile status.

Understanding Firewall Profiles

Windows Server firewall has three profiles, and rules can apply to one, two, or all three:

  • Domain: active when the server is connected to its Active Directory domain network
  • Private: active when connected to a trusted private network (non-domain)
  • Public: active when connected to an untrusted network — the most restrictive profile by default

Most server traffic in a domain environment uses the Domain profile. When creating rules, ensure they apply to the correct profile.

Creating an Inbound Rule (GUI)

  1. In wf.msc, click Inbound Rules → New Rule
  2. Choose the rule type:
    • Port: allow or block a specific TCP or UDP port number — most common for server applications
    • Program: allow a specific executable through the firewall
    • Predefined: use a built-in rule set (e.g. Remote Desktop, File and Printer Sharing)
    • Custom: full control over all settings
  3. Select TCP or UDP and enter the port number (e.g. 443 for HTTPS, 3389 for RDP, 1433 for SQL Server)
  4. Select Allow the connection
  5. Choose which profiles the rule applies to (tick all three for simplicity, or Domain only for internal servers)
  6. Give the rule a descriptive name (e.g. “Allow HTTPS inbound — Web Server”)
  7. Click Finish

Creating Firewall Rules via PowerShell

# Allow inbound on a specific port
New-NetFirewallRule -DisplayName "Allow HTTPS Inbound" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

# Allow a specific application
New-NetFirewallRule -DisplayName "Allow SQL Server" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow -Profile Domain

# Block outbound to a specific IP range
New-NetFirewallRule -DisplayName "Block External Range" -Direction Outbound -RemoteAddress 203.0.113.0/24 -Action Block

# Allow RDP from a specific IP only (security hardening)
New-NetFirewallRule -DisplayName "RDP from Management PC" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 192.168.1.100 -Action Allow

View Existing Rules via PowerShell

# List all enabled inbound rules
Get-NetFirewallRule -Direction Inbound -Enabled True | Select-Object DisplayName, Action, Profile | Sort-Object DisplayName

# Find rules for a specific port
Get-NetFirewallRule | Get-NetFirewallPortFilter | Where-Object {$_.LocalPort -eq "3389"}

# Check if a specific rule exists
Get-NetFirewallRule -DisplayName "Remote Desktop*"

Enabling Predefined Rules

Windows has built-in rule groups for common server scenarios. Rather than creating rules from scratch, enable the predefined group:

# Enable Remote Desktop
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Enable File and Printer Sharing
Enable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

# Enable Windows Management Instrumentation (for remote PowerShell/WMI)
Enable-NetFirewallRule -DisplayGroup "Windows Management Instrumentation (WMI)"

# Enable Remote Event Log Management
Enable-NetFirewallRule -DisplayGroup "Remote Event Log Management"

Security Best Practices for Server Firewall Rules

  • Restrict by source IP where possible. If RDP should only be accessible from your management subnet, add a source IP restriction to the RDP rule. This dramatically reduces brute-force exposure.
  • Never open ports to 0.0.0.0/0 from the internet unless required. Each open port is an attack surface. Only expose what must be public.
  • Review rules periodically. Old rules accumulate over time — audit them annually and remove anything no longer needed.
  • Log dropped packets for investigation. In wf.msc, right-click Windows Defender Firewall with Advanced Security → Properties → Logging tab → enable logging for dropped packets. Helps diagnose connectivity problems without opening unnecessary rules.
  • Do not disable the firewall to fix connectivity problems. Diagnose the specific rule that is needed — disabling the firewall entirely is not an acceptable workaround on a production server.

Troubleshooting — Is the Firewall Blocking a Connection?

# Test if a port is reachable locally
Test-NetConnection -ComputerName localhost -Port 443

# Check if the firewall is blocking (enable logging first, then check)
Get-Content "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" -Tail 50

Sign Up For Daily Newsletter

Stay updated with our weekly newsletter. Subscribe now to never miss an update!

[mc4wp_form]

Leave a Reply

Your email address will not be published. Required fields are marked *