WindowsFirewallRuleset

Windows Firewall Ruleset

Alt Text

Table of Contents

About Windows Firewall Ruleset

Alpha release

A fully automated solution for Windows firewall with PowerShell

Windows Firewall Ruleset configures Windows firewall automatically and applies restrictive firewall rules specific for target system and software installed on the system.

Status of this project is still alpha, click on “status” badge above to learn more.
This project consists of two major parts, firewall rules and firewall framework as follows:

Firewall rules

Windows firewall rules sorted into individual PowerShell scripts according to:

Such as for example:

Firewall framework

Table of Contents

The vision of this firewall

Managed in VSCode PowerShell

  1. Detailed firewall configuration is time consuming process, takes a lot of troubleshooting, changes require testing and security auditing and it only gets worse if you need to deploy firewall to hundreds or thousands of remote computers, for example not all computers might have same software or restriction requirements.

  2. Unlike firewall rules in control panel, these rules are loaded into GPO firewall (Local Group Policy), meaning system settings changes or random programs which install rules as part of their installation process will have no effect on firewall unless you explicitly make an exception.

  3. Rules based on programs and services will have their specified executable file checked for digital signature and will be scanned on VirusTotal if digital signature is missing, for security reasons rule is not created or loaded into firewall if this verification fails. (can be forced)

  4. Default outbound is “block” unless there is a rule to allow network traffic, in most firewalls this is not possible unless you maintain rules for every possible program or service, thanks to this collection of rules, setting default outbound to block requires very little or no additional work.

  5. Unlike in usual scenario, you will know which rules no longer have an effect or are redundant due to ex. uninstalled program, a missing system service which no longer exists, renamed executable after Windows update and similar reasons.

  6. Unlike predefined Windows firewall rules, these rules are more restrictive such as, tied to explicit user accounts, rules apply to specific ports, network interfaces, specific executables, services etc. all of which is learned automatically from target system.

  7. Updating, filtering or searching rules and attributes such as ports, addresses and similar is much easier since these rules are in scripts, you can use editor tools such as regex, multicursor or CTRL + F to perform bulk operations on your rules, doing this in any firewall UI is not possible due to user interface limitations.

  8. A good portion of code is dedicated to provide automated solution to build and define firewall specialized for target system and users, minimizing the need to do something manually thus saving you much valuable administration time.

Table of Contents

License

MIT license

This project Windows Firewall Ruleset is licensed under the MIT license.

Some scripts, files or modules are not MIT licensed or may have their own Copyright holders for this reason license and Copyright notices are maintained “per file”.

Requirements

Windows

The following table lists operating systems on which Windows Firewall Ruleset has been tested

OS Edition Version Architecture
Windows 10 Pro 1809 - 22H2 x64
Windows 10 Pro Education 20H2 x64
Windows 10 Enterprise 1809 - 20H2 x64
Windows 10 Education 20H2 - 22H2 x64
Windows 11 Pro Education 21H2 x64
Windows 11 Pro 22H2 - 23H2 x64
Windows 11 Enterprise 22H2 x64
Windows Server 2019 Essentials 1809 x64
Windows Server 2019 Standard 1809 x64
Windows Server 2019 Datacenter 1809 x64
Windows Server 2022 Standard 21H2 x64
Windows Server 2022 Datacenter 21H2 x64

  1. Windows PowerShell 5.1 or PowerShell Core 7.3.x Download PowerShell Core
  2. .NET Framework 4.5 (Windows PowerShell only) Download Net Framework
  3. sigcheck64.exe (Highly recommended) Download sigcheck
  4. Git (Optional) Download Git
  5. Visual Studio Code (Recommended) Download VSCode
  6. PowerShell Support for VSCode (Recommended) Download extension
  7. PSScriptAnalyzer (Recommended) Download PSScriptAnalyzer

Table of Contents

Requirements details

Table of Contents

I don’t meet the requirements

At the moment this firewall is tested and designed for most recent Windows Desktop/Servers and that is known to work, to make use of it on older systems requires additional work.

Testing is done on 64 bit Windows, a small fraction of rules won’t work for 32 bit system and need adjustment, full functionality for 32 bit system is work in progress.
For now you can load rules on 32 bit system just fine with the exception of few rules probably not relevant at all for your configuration.

For information on how to make use of this firewall on older Windows systems such as Windows 7 or Windows Server 2008 see Legacy Support

Table of Contents

First time user

The following are brief warnings and notices first time user should be aware of before deploying firewall

Warning

Table of Contents

Note

Table of Contents

Quick start

  1. If you don’t have ssh keys and other setup required to clone via SSH then either clone with HTTPS or just download released zip file from Releases, and then for the latest release under “assets” download zip file.
    These steps here assume you have downloaded a zip file from “assets” section under “Releases”.

  2. Extract downloaded archive somewhere, these steps assume you’ve extracted the zip file (repository root directory) into C:\ root drive directly.

  3. If you would like to use Windows PowerShell, see How to open Windows PowerShell Otherwise the procedure for both PowerShell Core and Windows PowerShell is similar:
    Open up extracted folder, right click into an empty space and there is an option to run PowerShell Core as Administrator (Assumes you enabled context menu during installment of PowerShell Core) if not open it manually.

  4. If you don’t have PowerShell context menu then move to C:\ root drive by executing the following two lines (type or copy/paste the commands and hit enter for each), this is where you extracted your downloaded zip file

     c:
     cd \
    
  5. cd into downloaded folder:

     cd WindowsFirewallRuleset*
    
  6. To see current execution policy type the following command and hit enter:
    (hint: you can use TAB key to auto complete as you type)

     Get-ExecutionPolicy
    

    Remember the output of the above command, note that PowerShell Core defaults to RemoteSigned while Windows PowerShell defaults to Restricted on non server editions.

  7. Set execution policy to unrestricted to be able to unblock project files, (Note that RemoteSigned will work only once scripts are unblocked)

     Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted
    

    You may be prompted to accept execution policy change, if so type Y and press enter to accept.
    For more information see About Execution Policies

  8. At this point you should “unblock” all repository files first by executing a script called
    Scripts\Unblock-Project.ps1, btw. repository files were blocked by Windows to prevent users from running untrusted script code downloaded from internet:

     .\Scripts\Unblock-Project.ps1
    

    If asked, make sure your answer is R that is [R] Run once as many times as needed to unblock project. (approx. up to 8 times)

  9. Once repository files are unblocked change execution policy to RemoteSigned:

     Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned
    

    You may be again prompted to accept execution policy change, type Y and press enter to accept.

  10. Rules for programs such as your web browser, games etc. depend on installation variables.
    Most paths are auto-searched and variables are updated transparently, otherwise you get warning and description on how to fix the problem.
    If needed, you can find these installation variables in individual scripts inside Rules directory.
    It is recommended to close down all MMC management consoles such as gpedit.msc or secpol.msc before running master script in the next step.

  11. Back to PowerShell console and run one of the two Deploy-Firewall commands below:

    To deploy firewall automatically with as few prompts as possible any prompt run:

    .\Scripts\Deploy-Firewall.ps1 -Force
    

    Otherwise to be interactively prompted which rules to load run:

    .\Scripts\Deploy-Firewall.ps1
    

    Hit enter and you’ll be asked questions such as what kind of rulesets you want.
    If you need help to decide whether to run some ruleset or not, type ? when prompted to run ruleset and press enter to get more info.
    If for what ever reason you want to interrupt and abort deployment (ex. to start a new) press CTRL + C on your keyboard while PowerShell is in focus and restart PowerShell console.

  12. Follow prompt output, (ex. hit enter to accept default action), it will take some 15 minutes of your attention.

    NOTE: If Administrator account is using Microsoft account to log in to computer you will be asked for credentials, which needs to be Microsoft email and password regardless if you’re using Windows hello or not, specifying PIN ie. will not work and other Windows hello authentication methods are not supported.

    If invalid credentials are supplied you’ll get an error saying Access is denied.
    If this happens you’ll need to restart PowerShell console and try again.

    For more information why this is necessary see FAQ

  13. If you encounter errors, you can either ignore errors or update script that produced the error then rerun that specific script once again later.

  14. When done you might want to adjust some of the rules in Local Group Policy, not all rules are enabled by default or you might want to toggle default Allow/Block behavior.
    Rules may not cover all programs installed on your system, in which case missing rules need to be made.

  15. Now go ahead and test your internet connection (ex. with a web browser or some other program), If you’re unable to connect to internet after deploying these rules you have several options:

  16. As a prerequisite to deploy firewall, some system services have been started and set to automatic start, inside Logs directory you’ll find Services_<DATE>.log to help you restore these services to default if desired.
    For example Windows Remote Management service should not run if not needed (the default is “Manual” startup)

Table of Contents

Firewall management

The following section gives some hints to manage firewall with ease

Automated and interactive firewall deployment

Deploy-Firewall.ps1 script supports several parameters to let you customize deployment automation as follows:

.\Scripts\Deploy-Firewall.ps1 -Force -Quiet
.\Scripts\Deploy-Firewall.ps1 -Interactive
.\Scripts\Deploy-Firewall.ps1

To learn the meaning of parmaters to be able to combine them on your own see Deploy-Firewall.ps1 script comment or run the following command:

Get-Help .\Scripts\Deploy-Firewall.ps1 -Detailed

Manage GPO rules

There are two mothods to manage GPO rules:

  1. Using Local Group Policy, this method gives you limited freedom on what you can do with rules from this repository, such as disabling them, changing some attributes or adding new rules.
    For more information see: Manage GPO Firewall

  2. Editing PowerShell scripts, this method gives you full control, you can change or remove existing rules with no restriction or add new ones.

What ever your plan or setup is, you will surely want to perform additional work such as customizing rules, or adding new rules for programs not yet covered by this firewall.

Rules are loaded into local group policy, if during firewall setup you accepted creating a shortcut to personalized firewall management console you can run the schortcut, otherwise follow steps mentioned in Manage GPO Firewall

For more information about GPO see: Configure security policy settings

Table of Contents

Deploying individual rulesets

If you want to deploy only specific rules there are two ways to do this:

  1. Execute Scripts\Deploy-Firewall.ps1 and chose Yes only for rulesets you want, otherwise chose No and hit enter to skip current ruleset.

  2. In PowerShell console navigate cd to directory containing ruleset script you want and execute individual script.
    For example cd .\Rules\IPv4\Outbound\Software followed by .\Adobe.ps1 to load rules for Adobe.

You might want to run Scripts\Complete-Firewall.ps1 afterwards to apply default firewall behavior if it’s not already set, or you can do it manually in GPO but with limited power. “limited power” means Scripts\Complete-Firewall.ps1 configures some firewall parameters which can’t be adjusted in firewall GUI.

In both cases all rules that match ruleset group, DisplayGroup, will be deleted before loading rules into GPO.

Table of Contents

Deleting rules

At the moment there are three options to delete firewall rules:

  1. The easiest way is to select all rules you want to delete in GPO, right click and delete.

  2. To delete rules according to file there is a function for this purpose, located in:
    Modules\Ruleset.Firewall\Public\Remove-FirewallRule.ps1
    however you first need to export firewall to file before using it.

  3. To revert to your old firewall state (the one in control panel), you’ll need to delete all rules from GPO, and set all properties to Not configured after right click on node:
    Windows Defender Firewall with Advanced Security - Local Group Policy Object

Deleting all rules or revetting to previous state can also be done with Scripts\Reset-Firewall.ps1
Note that you’ll also need to re-import your exported GPO rules if you had them.

Table of Contents

Export/Import rules

If you want to export rules from GPO there are two methods available:

  1. Export in local group policy by clicking on Export Policy... menu, after right click on node:
    Windows Defender Firewall with Advanced Security - Local Group Policy Object

  2. To export using PowerShell run Scripts\Backup-Firewall.ps1
    If you want to customize your export see Export-RegistryRule function located in Ruleset.Firewall module, which let’s you customize your export in almost any way you want.

If you want to import rules, importing by using GPO is same as for export, and to import with PowerShell just run Scripts\Restore-Firewall.ps1 which will pick up your previous export files.

To customize your export\import please take a look into Modules\Ruleset.Firewall\Public, which is where you’ll find description on how to use export\import module functions.

NOTE: Export-FirewallRule function is really slow, you’re advised to run Export-RegistryRule function instead which is as fast as it can be.

Table of Contents

Remote firewall deployment

This section and functionality is currently experimental and not fully complete, at the moment deployment to single remote computer is supported.

Under construction

In remote firewall deployment there are at least two computers involved,
one is called management computer (client) and all others are called managed computers (servers).

Scripts are executed by administrator on management computer, and firewall is then deployed to or configured on multiple server computers simultaneously.

For implementation details see Modules\Ruleset.Remote module

NOTE: Remoting functionality is not exclusive to remote firewall deployment, deployment to localhost by design requires working WinRM and PS remoting configuration as well.

Before remote deployment can be performed, remote computer (server) needs to be configured to accept connection, example on how to establish SSL connection is as follows:

To allow execution, configure WinRM service and remote registry on server computer by running:

NOTE: If using PowerShell core omit -Protocol HTTPS from Enable-WinRMServer below, this will enable both HTTP and HTTPS which is a temporary workaround for compatibility module to work in remote session.

# On server computer
Set-ExecutionPolicy -Scope LocalMachine RemoteSigned
Set-Location C:\Path\to\WindowsFirewallRuleset
Import-Module .\Modules\Ruleset.Remote
Enable-WinRMServer -Protocol HTTPS -KeepDefault -Confirm:$false
Enable-RemoteRegistry -Confirm:$false

After performing these steps, inside \Exports directory you’ll find SSL certificate (*.cer) file which needs to be copied to management computer also into \Exports directory.
By default self signed SSL certificate is created if the server computer does not already have one.

NOTE: Configuring server computer manually is performed only once for initial setup, you don’t need to repeat it for subsequent deployments.

Next step is to move on to management computer and run scripts as wanted, for example:

# On management computer
cd C:\Path\to\WindowsFirewallRuleset\Scripts
Deploy-Firewall -Domain "RemoteComputerName"

Both sets of commands above need to be run in same edition of PowerShell, ex. if server was configured in PowerShell Core then client computer also needs PowerShell core for deployment.
If either the server or management computer is a workstation (ex. not Windows server or part of domain) then it’s network profile must be set to private profile.

Remote deployment can be customized in a great detail in the following locations:

For additional information and troubleshooting tips see also Remoting help

Table of Contents

Support, updates and documentation

For support, issue reports, suggestions or customization of this repository and methods to periodically update this firewall please refer to SUPPORT.md

Table of Contents

The future

The following features are desired and might be available at some point in the future:

  1. Remote firewall administration

    • Deploying firewall configuration to multiple remote computers on domain or home networks
  2. Comprehensive firewall rulesets for Windows Server editions and dedicated gateway systems.

  3. On demand or scheduled registry scan to validate integrity of active firewall filtering policy and firewall settings

    • Any firewall rule or setting in the registry that is not part of this repository is reported for review.
    • Because, malware, hackers and even trusted software can attempt to bypass firewall at any time
  4. Full functionality for the following not yet tested editions of Windows 10.0
    • Windows 10 & 11 Pro for Workstations
    • Windows 10 & 11 IoT Core Blast
    • Windows 10 & 11 IoT Enterprise
    • Windows 10 & 11 S
  5. Functionality for x86 systems

Table of Contents