Step 1: Configuring Predefined Rules by Using Group Policy

  • Article

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

In many scenarios, you might want to configure rules that allow generally required network activity, such as certain ICMP response types, which are not associated with a service, but are required for some network troubleshooting. The most common network traffic types required by both clients and servers are specified in Windows Firewall with Advanced Security by predefined sets of rules. This makes it easy to select them for configuration and deployment. This guide only demonstrates with one predefine group. In a production environment, examine all of the provided predefined groups and deploy those that are appropriate for your organization’s network.

In this step, you use the Group Policy Management MMC snap-in to configure a group of firewall rules. You set the rules that are part of the group Core Networking to be always enabled.

To configure a group of firewall rules

  1. On MBRSVR1, in the Group Policy Management snap-in, right-click Firewall Settings for Windows Clients, and then click Edit.

  2. In the navigation pane of the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, and then expand Windows Firewall with Advanced Security - LDAP://{GUID},cn=policies,cn=system,DC=contoso,DC=com.

  3. Click Inbound Rules.

    There are no inbound firewall rules in the GPO by default.

  4. Right-click Inbound Rules, and then click New rule.

  5. On the Rule Type page of the wizard, click Predefined, select Core Networking from the list, and then click Next.

  6. On the Predefined Rules page, examine the list of rules, leave them all selected, and then click Next.

Note

In a production environment, carefully consider which profiles you apply the rules to. You may want to consider rules for other profiles to control how the firewall works on computers that are away from the network, such as portable computers which are taken home. You might want to consider applying your rules to all the profiles to make sure that your organization's computers continue to be protected when they are away from the organization's network. Some rule modifications may be required to allow expected program behavior on a home or public network that differs from the organization's network.

  1. On the Action page, because we want to create an exception for traffic that would by default be blocked, select Allow the connection, and then click Finish.

    The list of enabled rules now appears in the results pane for Inbound Rules.

  2. Close the Group Policy Management Editor for the client GPO.

With the list of rules now in the GPO, deploy the GPO to the client computer.

To test the rules on the client computer

  1. On CLIENT1, in Administrator: Command Prompt, run gpupdate /force. Wait until the command finishes.

  2. In the navigation pane of the Windows Firewall with Advanced Security snap-in, expand Monitoring, and then click Firewall.

    Note the list of rules that is now active on the local computer. It may take several seconds for the list to populate.

  3. Click View, and then click Add/Remove columns.

  4. If the Rule Source column is not displayed, click Rule Source in the Available columns list, and then click Add.

  5. Click Move Up to position Rule Source directly after Name, and then click OK.

  6. Note that all the rules identify the GPO Firewall Settings for Windows Clients as the source of the rule. Even if you disable the locally defined Core Networking rules under Inbound Rules, these rules from the GPO still apply to the computer.

Next topic: Step 2: Allowing Unsolicited Inbound Network Traffic for a Specific Program