Windows Firewall with Advanced Security

I don't know very many people that take the Windows Firewall seriously.  That's too bad because the Windows Firewall with Advanced Security in Windows Vista, 7, Server 2008, and newer operating systems has some features that can help you baseline what "normal" traffic is on your systems.  

Below is a sample script I use when building out a 2008R2 server. (Yeah, I know Netsh is supposed to be going away, so maybe I'll re-write this in PowerShell for a future post.)

Configure Logging 

First of all I want to turn on logging for everything inbound and outbound.  By default, the settings for logging are disabled (only verified this for Windows 7 and Server 2008R2).  I want to set the log size to the max 32 MB and log all dropped and allowed connections.  

Sample Script:

echo "Turn on Logging for all connections..." netsh advfirewall set Domainprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log netsh advfirewall set Domainprofile logging maxfilesize 32767 netsh advfirewall set Domainprofile logging droppedconnections enable netsh advfirewall set Domainprofile logging allowedconnections enable netsh advfirewall set Privateprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log netsh advfirewall set Privateprofile logging maxfilesize 32767 netsh advfirewall set Privateprofile logging droppedconnections enable netsh advfirewall set Privateprofile logging allowedconnections enable netsh advfirewall set Publicprofile logging filename %systemroot%\system32\LogFiles\Firewall\pfirewall.log netsh advfirewall set Publicprofile logging maxfilesize 32767 netsh advfirewall set Publicprofile logging droppedconnections enable netsh advfirewall set Publicprofile logging allowedconnections enable

This is important because the default firewall settings only drop inbound connections that do not explicitly match a defined rule.  Outbound connections are allowed anywhere, anytime by default.  (I'll come back to this topic in another post later.)

Disable Unused Rules

Also, best practice is to disable anything you aren't using, and since I'm not running IPv6 on my network, I want to disable all of the IPv6 related rules.  It is always good to double check that IPv6 is actually unchecked on your NIC as well.

Sample Script:

echo "Turn off IPv6 Inbound Rules..." netsh advfirewall firewall set rule name="Core Networking - Destination Unreachable (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - IPv6 (IPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Multicast Listener Done (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Multicast Listener Query (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Multicast Listener Report (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Multicast Listener Report v2 (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Neighbor Discovery Advertisement (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Neighbor Discovery Solicitation (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Packet Too Big (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Parameter Problem (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Router Advertisement (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Router Solicitation (ICMPv6-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Teredo (UDP-In)" dir=in new enable=no netsh advfirewall firewall set rule name="Core Networking - Time Exceeded (ICMPv6-In)" dir=in new enable=no echo "Turn off IPv6 Outbound Rules..." netsh advfirewall firewall set rule name="Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - IPv6 (IPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Multicast Listener Done (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Multicast Listener Query (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Multicast Listener Report (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Multicast Listener Report v2 (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Neighbor Discovery Advertisement (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Neighbor Discovery Solicitation (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Packet Too Big (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Parameter Problem (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Router Advertisement (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Router Solicitation (ICMPv6-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Teredo (UDP-Out)" dir=out new enable=no netsh advfirewall firewall set rule name="Core Networking - Time Exceeded (ICMPv6-Out)" dir=out new enable=no


ICMP Echo Request

Next I want to enable the default echo request rule so I can ping this new server. 

Sample Script:

echo "Turn on Inbound Echo Request so I can ping this box..." netsh advfirewall firewall set rule name="File and Printer Sharing (Echo Request - ICMPv4-In)" dir=in new enable=yes

There may be some other rules that you should disable depending on your environment, (such as DCHP or IGMP), but this should provide a decent example to get started with Netsh and the Windows Firewall with Advanced Security.