Managing Windows 2012 Firewall with Advanced Security

The Windows Firewall with Advanced Security is a host-based firewall that runs on Windows Server 2012. The firewall is enabled for all profiles by default. You can manage the Windows Firewall either by the Windows Firewall MMC (Microsoft Management Console) or via Powershell.

Configuring the firewall using Windows Firewall MMC

You can access the Windows Firewall MMC (Microsoft Management Console) to review and set Firewall configurations in one of 2 ways: 1. Open the Server Manager from the task bar. Click the Tools menu and select Windows Firewall with Advanced Security.

2. Hit the Windows key and start typing 'firewall' and you should see the link for Windows Firewall with Advanced Security

Once the Windows Firewall MMC page has loaded you can review your current rules as well as view the state of the firewall by clicking on Windows Firewall Properties. The settings box that opens allows you to modify the settings for each of the three firewall profiles, Domain, Private, and Public as well as IPSec settings.

Creating custom rules in the Windows Firewall allows for more granular control over inbound and outbound traffic to the server. Select either the Inbound Rules or Outbound Rules on the left side of the management console to see the currently configured access rules. (Currently enabled and running rules are denoted by a green check box, while inactive rules are denoted by a grey check box) For the purposes of this guide we will be creating a new inbound rule on port 8080.

To create a new Custom rule use one of the 2 methods mentions above to open the Windows Firewall MMC and then click on Inbound Rule.

1) Once you have selected Inbound Rules, click New Rule on the right side of the MMC and this will start the 'New Inbound Rule Wizard'

2) Select Custom from the Rule Type options and click Next.

3) Select the Program association for the Custom Firewall Rule. The choices are either All programs or the path to a program and click Next.

4) From the Protocol type field select the protocol type and click Next. For our purposes we will be using TCP as the protocol

5) Select an IP address association for both local and remote addresses and click Next. For our purposes we are going with the default choice of 'All IP Addresses' for both options.

6) Select an action to take on traffic that matches our rule and click Next. In our case we are allowing the connection.

7) Select the network profiles associated with the custom rule and click Next. The default is to apply the rule to all 3 network profiles.

8) Provide a name for your new Firewall rule and an optional description and click Finish.

Once the rule has been created it is automatically enabled. To disable or remove the rule simply right click on the rule and choose Disable Rule or Delete.

Configuring the firewall using Powershell

We will be using Powershell to create the same rule as we did using the MMC.

1) Open up a Powershell session

2) To add a rule to allow connections to port 8080/TCP you would use the following syntax:

netsh advfirewall firewall add rule name="Open Port 8080" dir=in action=allow protocol=TCP localport=8080

You can view the status of any rule using the command 'netsh advfirewall firewall show rule'. Here is the status of the rule we just added.

PS C:\Users\Administrator> netsh advfirewall firewall show rule name="Open Port 8080"

Rule Name: Open Port 8080

----------------------------------------------------------------------

Enabled: Yes

Direction: In

Profiles: Domain,Private,Public

Grouping: LocalIP: Any

RemoteIP: Any

Protocol: TCP

LocalPort: 8080

RemotePort: Any

Edge traversal: No

Action: Allow

For more assistance with Windows Firewall with Advanced Security and the netsh Powershell syntax please review the following Technet articles:

Windows Firewall with Advanced Security Design Guide

How to use the "netsh advfirewall firewall"