Docs / Windows Server / Windows Server Firewall Configuration Guide

Windows Server Firewall Configuration Guide

By Admin · Mar 2, 2026 · Updated Apr 23, 2026 · 26 views · 3 min read

Windows Server Firewall Configuration Guide

Windows Defender Firewall with Advanced Security is a host-based firewall built into every Windows Server installation. Properly configuring it on your Kazepute Breeze is essential for protecting your services while allowing legitimate traffic.

Understanding Firewall Profiles

Windows Firewall uses three network profiles:

  • Domain: Applied when the server is connected to an Active Directory domain.
  • Private: Used for trusted networks.
  • Public: The most restrictive, used for untrusted networks. Your Breeze will typically use the Public profile.

Opening the Firewall Console

You can manage the firewall through the GUI or PowerShell:

  • GUI: Open wf.msc from the Run dialog or search for "Windows Defender Firewall with Advanced Security."
  • PowerShell: Use the NetSecurity module cmdlets.

Viewing Current Rules

# List all enabled inbound rules
Get-NetFirewallRule -Direction Inbound -Enabled True | Format-Table DisplayName, Action, Profile

# List all enabled outbound rules
Get-NetFirewallRule -Direction Outbound -Enabled True | Format-Table DisplayName, Action, Profile

# Check firewall status for all profiles
Get-NetFirewallProfile | Format-Table Name, Enabled, DefaultInboundAction, DefaultOutboundAction

Creating Inbound Rules

Allow specific ports for your applications:

# Allow HTTP (port 80)
New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound -Protocol TCP -LocalPort 80 -Action Allow -Profile Any

# Allow HTTPS (port 443)
New-NetFirewallRule -DisplayName "Allow HTTPS" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow -Profile Any

# Allow a custom application port
New-NetFirewallRule -DisplayName "Allow App Port 8080" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow -Profile Any

# Allow a port range
New-NetFirewallRule -DisplayName "Allow Ports 5000-5010" -Direction Inbound -Protocol TCP -LocalPort 5000-5010 -Action Allow

Restricting Access by IP

For sensitive services, restrict access to specific IP addresses:

# Allow RDP only from a specific IP
New-NetFirewallRule -DisplayName "RDP - Restricted" -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow -RemoteAddress 203.0.113.50

# Allow SQL Server from a subnet
New-NetFirewallRule -DisplayName "MSSQL - Internal Only" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow -RemoteAddress 10.0.0.0/24

Blocking Traffic

# Block all inbound traffic on a specific port
New-NetFirewallRule -DisplayName "Block Port 23 (Telnet)" -Direction Inbound -Protocol TCP -LocalPort 23 -Action Block

# Block a specific IP address
New-NetFirewallRule -DisplayName "Block Malicious IP" -Direction Inbound -Action Block -RemoteAddress 198.51.100.99

Managing Existing Rules

# Disable a rule
Disable-NetFirewallRule -DisplayName "Allow HTTP"

# Enable a rule
Enable-NetFirewallRule -DisplayName "Allow HTTP"

# Remove a rule
Remove-NetFirewallRule -DisplayName "Block Malicious IP"

Exporting and Importing Rules

Back up your firewall configuration before making changes:

# Export all firewall rules
netsh advfirewall export "C:\firewall-backup.wfw"

# Import firewall rules
netsh advfirewall import "C:\firewall-backup.wfw"

Best Practices

  • Follow the principle of least privilege — only open ports that are actively needed.
  • Use IP restrictions on management ports (RDP, WinRM, SQL).
  • Regularly audit firewall rules with Get-NetFirewallRule.
  • Log dropped packets for security monitoring by enabling firewall logging in the profile settings.
  • Keep a documented list of all custom firewall rules and their purposes.

Was this article helpful?

Related Articles