Configure Firewall Port Requirements for Group Policy

Applies To: Windows 8.1, Windows Server 2012 R2, Windows Server 2012, Windows 8

You can use the information in this topic to configure the firewall port requirements for Group Policy. Group Policy requires that firewall ports are opened on client computers for an administrator to perform these two remote operations:

By default, Windows Firewall enables all outbound network traffic,and it allows only inbound traffic that is enabled by firewall rules. This topic identifies the TCP and UDP ports for which you must have active firewall rules to allow the inbound traffic. This allows Group Policy to perform remote Group Policy Results reporting from client computers and to perform remote Group Policy refresh to client-based computers. You can use the information in this topic to configure non-Microsoft firewall products and to create a GPO to configure a client computer with the required firewall rules. This topic also presents two new starter Group Policy Objects (GPOs) that configure the proper firewall rules on client computers.

If you have configured client computers by using Group Policy, the Group Policy settings override any manual configuration of client computers to which the policies are applied. If you want to review these rules, from the Group Policy Management Console (GPMC), you can run a Group Policy Results report or Group Policy Planning report. Or from a client computer, open the Windows Firewall with Advanced Security MMC snap-in and click Inbound Rules . Membership in the Administrators group or equivalent is the minimum permissions required to make these configuration changes.

If you use a non-Microsoft firewall product, check your firewall product documentation for instructions about how to open these ports to allow network traffic as required by Group Policy.

Remote Resultant Set of Policy (RSoP) Group Policy results: ports that require firewall rules

You can use the RSoP feature of the GPMC to create detailed reports about the policy settings that are applied to computers or users who have signed in. When RSoP reporting targets remote computers, all connections are direct to each remote client from the computer running the GPMC (that is, not transitively through a domain controller).

To use RSoP reporting for remotely targeted computers through the firewall, you must have firewall rules that allow inbound network traffic on the ports listed in the following table. This allows remote WMI and event log traffic to flow between the computer running the GPMC and the remotely targeted computer.

Type of network traffic

TCP SMB 445, all services and programs

Remote Event Log Management (NP-in)

TCP RPC dynamic ports, EventLog (Windows Event Log service)

Remote Event Log Management (RPC)

TCP port 135, RPCSS (Remote Procedure Call service)

Remote Event Log Management (RPC-EPMAP)

TCP all ports, Winmgmt (Windows Management Instrumentation service)

Windows Management Instrumentation (WMI-in)

Configure firewall rules by creating a GPO from the Group Policy Reporting Firewall Ports Starter GPO and linking to the domain

In Windows Server 2012, Group Policy adds a new Starter GPO called, Group Policy Reporting Firewall Ports. This Starter GPO includes policy settings to configure the firewall rules that are specified in the previous table. This enables inbound network traffic on the ports, which is necessary to allow the GPMC to gather the Group Policy results RSoP information from a remote computer. It is a best practice to create a new GPO from this Starter GPO, and then link the new GPO to your domain with a higher precedence than the Default Domain GPO, so that you can configure all computers in the domain for remote Group Policy results reporting.

To create a GPO from the Group Policy Reporting Firewall Ports Starter GPO and link to the domain

In the GPMC console tree, right-click the domain for which you want to configure all computers to enable a remote Group Policy refresh, and then click Create a GPO in this domain, and Link it here…В

In the New GPO dialog box, type the name of the new Group Policy Object in the Name box.

Select the Group Policy Reporting Firewall Ports Starter GPO from the Source Starter GPO list that you want to use to create a new Group Policy Object.

If you do not see any Starter GPOs listed, cancel creating a GPO and do the following before you return to Step 1: Navigate to Starter GPOs . In the results pane, click Create Starter GPOs Folder .

Click OK.

In the results pane, click the Linked Group Policy Objects tab.

Select the GPO that you just created. Click the Up arrow until the GPO you just created is located above the Default Domain Policy. The new GPO will then have a smaller link-order value than the Default Domain Policy.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

You can use the New-GPO cmdlet with the –StarterGpoName parameter to create a new GPO. You can then pipe the output from the New-GPO cmdlet to the New-GPLink cmdlet.

For example, to create a new GPO, called Configure firewall rules for remote reporting, based on the Group Policy Reporting Firewall Ports Starter GPO, and link the GPO to the Contoso.com domain, type the following:

For more information about the New-GPO cmdlet and the New-GPLink cmdlet, see:

Remote Group Policy refresh: ports that require firewall rules

To schedule a remote Group Policy refresh for domain-joined computers you must have firewall rules that enable inbound network traffic on the ports listed in the following table.

Type of network traffic

TCP RPC dynamic ports, Schedule (Task Scheduler service)

Remote Scheduled Tasks Management (RPC)

TCP port 135, RPCSS (Remote Procedure Call service)

Remote Scheduled Tasks Management (RPC-EPMAP)

TCP all ports, Winmgmt (Windows Management Instrumentation service)

Windows Management Instrumentation (WMI-in)

Configure firewall rules by creating a GPO from the Group Policy Remote Update Firewall Ports Starter GPO and linking to the domain

In Windows Server 2012, Group Policy adds a new Starter GPO called Group Policy Remote Update Firewall Ports. This Starter GPO includes policy settings to configure the firewall rules that are specified in the previous table. This enables inbound network traffic on the ports, which is necessary to allow the remote Group Policy refresh to run. It is a best practice to create a new GPO from this Starter GPO, and then link the new GPO to your domain with a higher precedence than the Default Domain GPO, so that you can configure all computers in the domain to enable a remote Group Policy refresh.

To create a GPO from the Group Policy Remote Update Firewall Ports Starter GPO and link to the domain

In the GPMC console tree, right-click the domain for which you want to configure all computers to enable a remote Group Policy refresh, and then click Create a GPO in this domain, and Link it here…В

In the New GPO dialog box, type the name of the new Group Policy Object in the Name box.

Select the Group Policy Remote Update Firewall Ports Starter GPO from the Source Starter GPO list.

If you do not see any Starter GPOs listed, cancel creating a GPO and do the following before you return to the Step 1: Navigate to Starter GPOs In the results pane, click Create Starter GPOs Folder

Click OK.

In the results pane, click the Linked Group Policy Objects tab.

Select the GPO that you just created. Click the up arrow until the GPO you just created is above the Default Domain Policy in link order. The new GPO will then have a smaller link order value than the Default Domain Policy.

Windows PowerShell equivalent commands

The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.

You can use the New-GPO cmdlet with the –StarterGpoName parameter to create a new GPO. You can then pipe the output from the New-GPO cmdlet to the New-GPLink cmdlet.

For example, to create a new GPO, called Configure firewall rules for remote gpupdate, which is based on the Group Policy Remote Update Firewall Ports Starter GPO, and link the GPO to the Contoso.com domain, type the following:

For more information about the New-GPO cmdlet and the New-GPLink cmdlet, see:

Управление групповой политикой Защитник Windows брандмауэра Group Policy Management of Windows Defender Firewall

Область применения Applies to

• Windows 10 Windows 10
• Windows Server 2016 Windows Server 2016

Чтобы открыть GPO для Защитник Windows брандмауэра: To open a GPO to Windows Defender Firewall:

Откройте консоль управления групповыми политиками. Open the Group Policy Management console.

В области навигации разместите «Лес: имя»,«Домены», «Имя домена», «Объекты групповой политики», щелкните правой кнопкой мыши объект групповой политики, который нужно изменить, и выберите ****»Изменить». **** ** **** In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, expand Group Policy Objects, right-click the GPO you want to modify, and then click Edit.

В области навигации редактора объектов групповой **** политики перейдите к сетевому подключению конфигурации компьютера административных шаблонов сети Защитник Windows > **** > **** > **** > брандмауэра. In the navigation pane of the Group Policy Object Editor, navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Defender Firewall.

GPO_DOMISO_Firewall GPO_DOMISO_Firewall

Область применения Applies to

• Windows 10 Windows 10
• Windows Server 2016 Windows Server 2016

Этот групповой политики является автором с помощью брандмауэра Защитник Windows с расширенным интерфейсом безопасности в средствах редактирования групповой политики. This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Раздел «Конфигурация пользователя» для GPO отключен. The User Configuration section of the GPO is disabled. Он предназначен только для устройств под управлением Windows 7 или Windows Server 2008. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.

Параметры брандмауэра Firewall settings

Этот GPO предоставляет следующие параметры: This GPO provides the following settings:

Если не указано иное, описанные здесь правила и параметры брандмауэра применяются ко всем профилям. Unless otherwise stated, the firewall rules and settings described here are applied to all profiles.

Брандмауэр включен, разрешены входящие и незапрошенные подключения. The firewall is enabled, with inbound, unsolicited connections blocked and outbound connections allowed.

В профиле домена для параметров отображаются уведомления для пользователя, применяются локальные правила брандмауэра, **** а для правил безопасности локальных подключений установлено **** «Нет». Under the domain profile, the settings Display notifications to the user, Apply local firewall rules, and Apply local connection security rules are all set to No. Эти параметры применяются только к профилю домена, так как устройства могут получать правило исключения для требуемой программы от GPO, только если они подключены к домену. These settings are applied only to the domain profile because the devices can only receive an exception rule for a required program from a GPO if they are connected to the domain. В общедоступных и закрытых профилях для этих параметров установлено «Да». Under the public and private profiles, those settings are all set to Yes.

Примечание. Для принудительного параметров необходимо определить исключения брандмауэра для программ, так как пользователь не может вручную разрешить новую программу. Note: Enforcing these settings requires that you define any firewall exceptions for programs, because the user cannot manually permit a new program. Правила исключений необходимо развернуть, добавив их в этот GPO. You must deploy the exception rules by adding them to this GPO. Мы не рекомендуем включить эти параметры, пока не протестировали все приложения и не протестировали итоговые правила в лаборатории тестирования, а затем на пилотных устройствах. We recommend that you do not enable these settings until you have tested all your applications and have tested the resulting rules in a test lab and then on pilot devices.

Правила брандмауэра Firewall rules

Этот GPO предоставляет следующие правила: This GPO provides the following rules:

Встроенные группы правил брандмауэра настроены для поддержки обычно требуемой сетевой операции. Built-in firewall rule groups are configured to support typically required network operation. Для следующих групп правил установлено разрешение подключения: The following rule groups are set to Allow the connection:

Основные сетевые сети Core Networking

Общий доступ к файлам и принтерам File and Printer Sharing

Обнаружение сети Network Discovery

Удаленное администрирование Remote Administration

Удаленный рабочий стол Remote Desktop

Удаленное управление журналами событий Remote Event Log Management

Удаленное управление запланированными задачами Remote Scheduled Tasks Management

Удаленное управление службами Remote Service Management

Удаленное управление томами Remote Volume Management

Защитник Windows брандмауэра удаленного управления Windows Defender Firewall Remote Management

Инструментарий управления Windows (WMI) Windows Management Instrumentation (WMI)

Удаленное управление Windows Windows Remote Management