Windows 10 comes with a built-in firewall that can be configured using Group Policy. This guide will show you how to control the firewall using a GPO.
- Open the Group Policy Management Console (GPMC). To do this, open the Start menu, type gpmc, and press Enter.
- In the GPMC, expand your domain and select your domain controller. If you are not sure which domain controller your computer is in, open System Properties and look at the Computer Name field.
- Right-click your domain and select New GPO from the context menu.
- In the New GPO dialog box, name the GPO Firewall Settings and click OK.
- In the Firewall Settings GPO dialog box, double-click on the Firewall Settings tab to open it. Select Windows Firewall from the left pane and then click on Properties in the right pane to open its settings window (see Figure 1). Figure 1: The Windows Firewall Properties window
- Under General, set Allow Local Administrators to Control Firewall Policy to Yes (see Figure 2). This will allow local administrators to configure firewall policy on their computers by using Group Policy Objects (GPOs). Figure 2: Setting Allow Local Administrators to Control Firewall Policy to Yes ..
Our Mission
It has come to our attention that a lot of users have Skype installed on their machines and it is making them less productive. We have been given the task of making sure that users cant use Skype at work, however they are welcome to keep it installed on their laptops and use it at home or during lunch breaks on a 3G/4G connection. Given this information we decide to make use of the Windows Firewall and Group Policy.
The Method
The easiest way to start controlling the Windows Firewall through Group Policy is to set up a reference PC and create the rules using Windows 7, we can then export that policy and import it into Group Policy. By doing this, we have the extra advantage of being able to see if all the rules are set up and working as we want them to be, before deploying them to all the client machines.
Creating a Firewall Template
In order to create a template for the Windows Firewall we need to launch the Network and Sharing Center, the easiest way to do this is to right-click on the network icon and select Open Network and Sharing Center from the context menu.
When the Network and Sharing Center opens, click on the Windows Firewall link in the lower left hand corner.
When creating a template for Windows Firewall it is best done through the Windows Firewall with Advanced Security console, to launch this click on Advanced Settings on the left hand side.
Note: At this point I am going to edit the Skype specific rules, however you can add your own rules for ports or even applications. Whatever modifications you need to make to the firewall should be done now.
From here we can start editing our firewall rules, in our case when the Skype application is installed it creates its own Firewall exceptions that allow skype.exe to communicate on the Domain, Private and Public network profiles.
Now we need to edit our Firewall rule, to edit it double click on the rule. This will bring up the properties of the Skype rule.
Switch over to the Advanced tab and uncheck the Domain check box.
When you try launch Skype now, you will be prompted to ask if it can communicate on the Domain Network Profile, uncheck the box and click allow access.
If you now go back to your Inbound Firewall Rules you will see that there are two new rules, this is because when you were prompted you chose not to allow Inbound Skype traffic. If you look over to the profile column you will see that they are both for the Domain network profile.
Note: The reason there is two rules is because there is separate rules for TCP and UDP
Everything is good so far, however if you launch Skype you will still be able to log in.
Even if you change the rules to block inbound traffic for skype.exe and set it to block traffic using ANY protocol its is still able to somehow get back in. The fix is simple, stop it from being able to communicate in the first place. To do this switch to Outbound Rules and start creating a new rule.
Since we want to create a rule for the Skype program just click next, then browse for the Skype executable file and click next.
You can leave the action at the default which is to block the connection and click next.
Deselect the Private and Public check boxes and click next to continue.
Now give your rule a name and click finish
Now if you try and launch Skype while connected to a Domain network it will not work
However if they try and connect when they get home it will allow them to connect fine
That’s all the Firewall rules we are going to create for now, don’t forget to test out your rules just like we did for Skype.
Exporting the Policy
To export the policy, in the left hand pane click on the root of the tree which says Windows Firewall with Advanced Security. Then click on Action and select Export Policy from the Menu.
You should save this to either a network share, or even a USB if you have physical access to your server. We will go with a network share.
Note: Be careful of viruses when using a USB, the last thing you want to do is infect a server with a virus
Importing the Policy Into Group Policy
To import the firewall policy you need to open an existing GPO or create a new GPO and link it to an OU that contains computer accounts. We have an GPO called Firewall Policy that is linked to an OU called Geek Computers, this OU contains all our computers. We will just go ahead and use this policy.
Now navigate to:
Click on Windows Firewall with Advanced Security and then click on Action and Import Policy
You will be told that if you import the policy it will overwrite all existing settings, click yes to continue and then browse for the policy that you exported in the previous section of this article. Once the policy has finished being Imported you will be notified.
If you go and look at our rules you will see that the Skype rules I created are still there.
Testing
Note: You should not do any testing before you complete the next section of the article. If you do, any rules that have been configured locally will be adhered to. The only reason I did some testing now was to point out a few things.
To see if the Firewall Rules have been deployed to clients, you will need to switch to a client machine and again open the Windows Firewall Settings. As you can see there should be a message saying that some of the firewall rules are managed by your system administrator.
Click on the Allow a program or feature through Windows Firewall link on the left hand side.
As you should see now, we have rules both applied by Group Policy as well as those created locally.
What’s Going On Here and How Can I Fix It?
By default, rule merging is enabled between local firewall policies on Windows 7 computers and firewall policy specified in Group Policies that target those computers. This means that local administrators can create their own firewall rules, and these rules will be merged with the rules obtained through Group Policy. To fix this right click on Windows Firewall with Advanced Security and select properties from the context menu. When the dialog box opens click on the Customize button under the settings section.
Change the Apply local firewall rules option from Not Configured to No.
Once you click ok, switch to the Private and Public profiles and do the same thing for both of them.
That’s all there is to it guys, go have some firewall fun.