Step 1: Configuring the Default Outbound Firewall Behavior to Block

  • Article

Updated: May 16, 2014

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

In this step, you change the default outbound behavior for the firewall. By default, Windows Firewall allows all outbound network traffic. In order to restrict outbound traffic, you can change that default to cause Windows Firewall with Advanced Security to block all outbound traffic that does not match an outbound allow rule.

Important

In a production environment, you must carefully evaluate the outbound traffic requirements for your computers. You must then create outbound allow rules for all network traffic that must be permitted. Any additional applications that must be able to transmit on the network must have rules created and deployed. Be sure to test your configuration before you deploy it to production computers.

Enable the Core Networking and File and Printer Sharing outbound rules

  1. On MBRSVR1, if Group Policy Management Editor is still open, close it.

  2. In Group Policy Management, right-click Firewall Settings for Windows Clients, and then click Edit.

  3. Expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, expand Windows Firewall with Advanced Security, and then expand Windows Firewall with Advanced Security - LDAP://{GUID},cn=policies,cn=system,DC=contoso,DC=com.

  4. Before you enable the default outbound block, enable the Core Networking and File and Printer Sharing outbound rules that will permit the client to continue to receive changes in Group Policy. Because your settings prevent local rules from being used, you must include them in the GPO. In the navigation page, right-click Outbound Rules, and then click New Rule.

Warning

Be sure to test your rules carefully in a lab environment before you apply them to production computers. If you do not allow the required outbound traffic then the client cannot even talk to the domain controller to retrieve an updated GPO that fixes the problem. The only way to recover from this is to remove the client computer from the domain, which removes any applied Group Policy settings. Then, before you rejoin the computer to the domain, make sure that the GPO has the required outbound Allow rules.

  1. On the Rule Type page, select Predefined, in the drop-down list, select Core Networking, and then click Next.

  2. On the Predefined Rules page, make sure that all of the rules are selected, and then click Next.

  3. On the Action page, select Allow the connection, and then click Finish.

  4. Repeat steps 4 to 7 to add the File and Printer Sharing group of rules.

Allow lsass.exe to communicate through the firewall for domain authentication purposes

  1. Next, you need to allow lsass.exe to communicate through the firewall for domain authentication purposes. Right-click Outbound Rules, and then click New Rule.

  2. On the Rule Type page, click Program, and then click Next.

  3. On the Program page, select This program path, and then type %windir%\system32\lsass.exe and then click Next.

  4. On the Action page, select Allow the connection, and then click Next.

  5. On the Profile page, clear the Private and Public check boxes, and then click Next.

  6. On the Name page, type Allow Outbound lsass.exe and then click Finish.

Allow the WMIPrvSE.exe to query the domain controller for WMI filters

  1. If any of your GPOs have WMI filters, you must also create one additional outbound rule to allow the WMIPrvSE.exe program on the client to query the domain controller about the WMI filter and correctly process it. Right-click Outbound Rules, and then click New Rule.

  2. On the Rule Type page, click Custom, and then click Next.

  3. On the Program page, select This program path, and then type %windir%\system32\wbem\wmiprvse.exe. There are no services to customize in this case so click Next.

  4. On the Protocol and Ports page, change Protocol type to TCP, change Remote port to Specific Ports, type 389, and then click Next.

  5. On the Scope page, click Next.

  6. On the Action page, select Allow the connection, and then click Next.

  7. On the Profile page, clear the Private and Public check boxes, and then click Next.

  8. On the Name page, type Allow Outbound 389 from WMI Client, and then click Finish.

Allow the Network Location Awareness service permissions to access the domain via LDAP

  1. Next, you need to need to allow the Network Location Awareness service permissions to access the domain via LDAP. Right-click Outbound Rules, and then click New Rule.

  2. On the Rule Type page, click Custom, and then click Next.

  3. On the Program page, select This program path, and then type %windir%\System32\svchost.exe. Also Click Customize, Select Apply to service with this service short name, and then type NlaSvc to add the Network Location Awareness service, click OK, and then click Next.

  4. Read the message, and click Yes to accept the changes.

  5. On the Protocol and Ports page, change Protocol type to TCP, change Remote port to Specific Ports, type 389, and then click Next.

  6. On the Scope page, click Next.

  7. On the Action page, select Allow the connection, and then click Next

  8. On the Profile page, click Next.

  9. On the Name page, type Allow outbound NlaSvc Service port 389, and then click Finish.

Enable the default outbound block rule

  1. Now that the allow rules are in place, you can enable the default outbound Block rule. In the Group Policy Management Editor click Windows Firewall with Advanced Security - LDAP://{GUID},cn=policies,cn=system,DC=contoso,DC=com, and in the results pane, click Windows Firewall Properties.

  2. On the Domain Profile tab, change Outbound connections to Block, and then click OK.

Now apply the GPO to the client computer to view the effect.

To deploy and test your GPO

  1. On CLIENT1, at Administrator: Command Prompt, run the command gpupdate /force, and then wait until the command has finished.

  2. In an Administrator: Command Prompt, run the command telnet mbrsvr1.

  3. The command fails because all outbound network traffic, except for core network traffic and file and printer sharing traffic is blocked.

In the next section, you create your outbound Allow rule for Telnet.

Next topic: Step 2: Allowing Network Traffic for a Program by Using an Outbound Rule