- Windows Defender Firewall with Advanced Security deployment overview
- About this guide
- What this guide does not provide
- Windows Defender Firewall with Advanced Security design guide
- About this guide
- In this section
- Terminology used in this guide
- Windows Firewall with Advanced Security Overview
- Feature description
- Practical applications
- New and changed functionality
- Windows Defender Firewall with Advanced Security
- Overview of Windows Defender Firewall with Advanced Security
- Feature description
- Practical applications
Windows Defender Firewall with Advanced Security deployment overview
Applies to
- WindowsВ 10
- Windows Server 2016
You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least WindowsВ Vista or Windows ServerВ 2008 to help protect the devices and the data that they share across a network.
You can use Windows Defender Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device.
About this guide
This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Defender Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the Windows Defender Firewall with Advanced Security Design Guide and selected the one most appropriate for your organization.
After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Defender Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
Use the checklists in Implementing Your Windows Defender Firewall with Advanced Security Design Plan to determine how best to use the instructions in this guide to deploy your particular design.
We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this can result in network connectivity problems if network protocol limits are exceeded. В
What this guide does not provide
This guide does not provide:
Guidance for creating firewall rules for specific network applications. For this information, see Planning Settings for a Basic Firewall Policy in the Windows Defender Firewall with Advanced Security Design Guide.
Guidance for setting up ActiveВ Directory Domain Services (ADВ DS) to support Group Policy.
Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication.
For more information about Windows Defender Firewall with Advanced Security, see Windows Defender Firewall with Advanced Security Overview.
Windows Defender Firewall with Advanced Security design guide
Applies to
- WindowsВ 10
- Windows Server 2016
Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
The interface for Windows Defender Firewall is much more capable and flexible than the consumer-friendly interface found in the Windows Defender Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
About this guide
This guide provides recommendations to help you to choose or create a design for deploying Windows Defender Firewall in your enterprise environment. The guide describes some of the common goals for using Windows Defender Firewall, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide.
This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization’s network to help meet the organization’s security goals.
Windows Defender Firewall should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules.
To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
You can use the implementation goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
Basic firewall policy design. Restricts network traffic in and out of your devices to only that which is needed and authorized.
Domain isolation policy design. Prevents devices that are domain members from receiving unsolicited network traffic from devices that are not domain members. Additional «zones» can be established to support the special requirements of some devices, such as:
A «boundary zone» for devices that must be able to receive requests from non-isolated devices.
An «encryption zone» for devices that store sensitive data that must be protected during network transmission.
Server isolation policy design. Restricts access to a server to only a limited group of authorized users and devices. Commonly configured as a zone in a domain isolation design, but can also be configured as a stand-alone design, providing many of the benefits of domain isolation to a small set of devices.
Certificate-based isolation policy design. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the KerberosВ V5 authentication used by default in Active Directory. This enables devices that are not part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution.
In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Defender Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization’s requirements, you have the information that you need to begin deploying Windows Defender Firewall using the guidance in the Windows Defender Firewall with Advanced Security Deployment Guide.
You can find the Windows Defender Firewall with Advanced Security Deployment Guide at these locations:
(Downloadable Word document)
In this section
| Topic | Description |
|---|---|
| Understanding the Windows Defender Firewall with Advanced Security Design Process | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. |
| Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals | Learn how to identify your Windows Defender Firewall with Advanced Security implementation goals. |
| Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design | After you finish reviewing the existing Windows Defender Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
| Designing a Windows Defender Firewall with Advanced Security Strategy | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
| Planning Your Windows Defender Firewall with Advanced Security Design | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
| Appendix A: Sample GPO Template Files for Settings Used in this Guide | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). |
Terminology used in this guide
The following table identifies and defines terms used throughout this guide.
Windows Firewall with Advanced Security Overview
Applies To: Windows Server 2012 R2, Windows Server 2012, Windows 8
This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features in Windows Server 2012.
Did you mean…
Feature description
Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a computer, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local computer. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the computer is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your network’s isolation strategy.
Practical applications
To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits:
Reduces the risk of network security threats.В В Windows Firewall with Advanced Security reduces the attack surface of a computer, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a computer increases manageability and decreases the likelihood of a successful attack. Network Access Protection (NAP), a feature of Windows Server 2012, also helps ensure client computers comply with policies that define the required software and system configurations for computers that connect to your network. The integration of NAP helps prevent communications between compliant and noncompliant computers.
Safeguards sensitive data and intellectual property.В В With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
Extends the value of existing investments.В В Because Windows Firewall with Advanced Security is a host-based firewall that is included with Windows Server 2012, and prior Windows operating systems and because it is tightly integrated with Active DirectoryВ® Domain Services (ADВ DS) and Group Policy, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
New and changed functionality
The following table lists some of the new features for Windows Firewall with Advanced Security in Windows Server 2012.
Windows ServerВ 2008В R2
Windows Server 2012
Internet Key Exchange versionВ 2 (IKEv2) for IPsec transport mode
Windows Defender Firewall with Advanced Security
Applies to
- WindowsВ 10
- Windows Server 2016
- Windows Server 2019
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
Overview of Windows Defender Firewall with Advanced Security
Windows Defender Firewall in Windows 8, WindowsВ 7, WindowsВ Vista, Windows Server 2012, Windows ServerВ 2008, and Windows ServerВ 2008В R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
Feature description
Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your network’s isolation strategy.
Practical applications
To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits:
Reduces the risk of network security threats.В В Windows Defender Firewall reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
Safeguards sensitive data and intellectual property.В В With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
Extends the value of existing investments.В В Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
