Enable specific firewall ports

windows-firewallwindows-server-2012-r2

How can I disable all inbound and outbound ports in windows server 2012 and enable only specific ports such as 636, 389 (LDAP ports), and remote desktop port 3389?

I have already tried creating a new custom outbound rule to block all ports and programs but as I enable this custom block rule, other rule (which allow specific ports to enable) are not working.

Similarly, I have created custom rule to block all inbound ports and programs and enabled it. This blocked the RDP connection and LDAP connection though I added new rule to allow incoming connection on LDAP (636,389) and RDP (3389) ports.

Best Answer

The Windows Firewall does not react as a standard network Firewall.

When you have more than one rule matching your traffic, then the Block one will have precedence, regardless the rules order. If you have rules with both Allow and Block that will match traffic, then it will Blocked.

As a consequence, the following rules you are probably trying to set WILL NOT WORK, as the block rules for all udp/tcp ports will take precedence over the allowed ones for RDP/LDAP :

So, what to do now from there ?

1) Check-out the "Override" column. There it's setup to "No". You can setup it to "yes" but then you will need to specify an allowed computer or computer group...depending on your context (e.g AD or not) this option could not apply to you :

Use this option to allow the connections that match this firewall rule to override any firewall rules that explicitly block connections. This option is also known as authenticated bypass. Normally, rules that explicitly block connections have priority over rules that allow connections. If you use this option, the connection is allowed even if another rule blocks the connection. This option is most often used for vulnerability scanners. If you do not use this option, any blocking firewall rules that match the same firewall rule criteria will take precedence and the connections will be blocked. If you select this option, you must specify at least one computer or computer group for authorization on the Users and Computers tab.

https://technet.microsoft.com/en-us/library/cc730690(v=ws.10).aspx

2) Explicitly deny ports that overlap ones you explicitely need to allow, then allow only ones you need to open :

Related Solutions

Firewall – How to configure Windows Firewall to permit MSRPC

KB154596 "How to configure RPC dynamic port allocation to work with firewalls"

In short, it looks like you're going to be deploying a lot of registry changes via a GPO. Make sure to document all that you do and why you've done it. If anyone else has to curate the systems there, it will be quite a shock to see something as basic as RPC hardwired to certain ports. Not that it's bad, mind you. Just different.

Security – Configure Windows Firewall to block all except for specific traffic

I see there are three policies - public/private/domain. I've been making the same setting changes to each one, though I only have a single NIC and its assigned the domain policy.

As an aside, making changes to the firewall policies for public and private won't have any effect as long as your NIC is still using the Domain network profile.

According to this documentation the allow rules are supposed to take precedence over default rules. I want to set my default rule to block all traffic and only allow certain traffic with allow rules.

You are doing this the hard way. The default policy of the Domain profile implements a default deny ingress policy and a default allow egress (i.e, Inbound connections are blocked and Outbound connections are allowed.) If you've changed these defaults you can set them back in the Windows Firewall Properties dialog.

Then to enable ICMP traffic enable the following two allow rules:

   File and Printer Sharing (Echo Request - ICMPv4-In)
   File and Printer Sharing (Echo Request - ICMPv6-In)

Best Answer

Related Solutions

Firewall – How to configure Windows Firewall to permit MSRPC

Security – Configure Windows Firewall to block all except for specific traffic

Related Topic