90%
Of Windows endpoints have Windows Firewall enabled by default: but most run on default settings that allow all outbound traffic
0
Additional license cost for Windows Firewall with Advanced Security: it is included in all Windows versions
3
Network profiles with separate rule sets in WFAS: Domain (corporate network), Private (home network), Public (untrusted network)
443+80
Default ports that malware uses to blend C2 traffic with legitimate web traffic: outbound filtering must handle encrypted traffic

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Most Windows endpoints run Windows Firewall with its default settings: all inbound connections blocked unless explicitly allowed, all outbound connections allowed. The outbound-allow-all default means that once malware executes on an endpoint, it can freely communicate with external command-and-control infrastructure using any port over any protocol.

Windows Firewall with Advanced Security (WFAS) provides the controls to change this: but they require explicit configuration. The default settings are a starting point, not a finished security control.

Baseline: Verify Windows Firewall Is Enabled on All Three Profiles

Windows Firewall has three separate profiles: Domain (when connected to the corporate domain network), Private (home network or a trusted network), and Public (untrusted networks like airport WiFi). Each profile has independent rules and can be enabled or disabled independently.

Verify and enforce via PowerShell:

# Check current firewall state on all profiles
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

# Expected output:
# Name       Enabled DefaultInboundAction DefaultOutboundAction
# ----       ------- -------------------- ---------------------
# Domain     True    Block                Allow
# Private    True    Block                Allow
# Public     True    Block                Allow

# Enforce enabled state on all profiles
Set-NetFirewallProfile -All -Enabled True

# Block inbound by default on all profiles
Set-NetFirewallProfile -All -DefaultInboundAction Block

Group Policy enforcement (prevents users from disabling): Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Windows Defender Firewall Properties:

  • Domain Profile: Firewall state = On; Inbound connections = Block; Outbound connections = Allow
  • Private Profile: Same settings
  • Public Profile: Same settings

When configured via Group Policy, users cannot disable the firewall through the Control Panel: the option is greyed out.

Inbound Rules: Locking Down Attack Surface

By default, Windows allows inbound connections for many services that most workstations do not need. Disable rules that are not required:

View all enabled inbound rules:

Get-NetFirewallRule -Direction Inbound -Enabled True |
    Select-Object DisplayName, Profile, Action, Description |
    Sort-Object DisplayName | Format-Table -AutoSize

Rules to disable for most workstations:

# Disable Remote Desktop (unless RDP is required: harden it per the RDP guide if needed)
Disable-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)"
Disable-NetFirewallRule -DisplayName "Remote Desktop - User Mode (UDP-In)"

# Disable file and printer sharing if not needed
Disable-NetFirewallRule -DisplayGroup "File and Printer Sharing"

# Disable Remote Assistance
Disable-NetFirewallRule -DisplayGroup "Remote Assistance"

# Disable network discovery on Public profile
Set-NetFirewallRule -DisplayGroup "Network Discovery" -Profile Public -Enabled False

Create application-specific inbound rules instead of port-based rules:

When an application needs inbound access, create a rule that allows the specific executable rather than opening a port globally:

# Allow a specific application to receive inbound connections (not all traffic on a port)
New-NetFirewallRule `
    -DisplayName "Allow Custom App Inbound" `
    -Direction Inbound `
    -Program "C:\Program Files\CustomApp\app.exe" `
    -Action Allow `
    -Profile Domain `
    -Protocol TCP

Application-specific rules limit the attack surface: only that specific binary can receive the connection, not any process that binds to the same port.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Outbound Rules: Reducing C2 Attack Surface

Outbound filtering is the more powerful and less-commonly-used WFAS capability. Switching the default outbound action to Block and allowing only specific applications and ports significantly reduces malware C2 effectiveness: malware can only communicate through the channels you have explicitly allowed.

Switching to default-deny outbound (requires careful planning):

Do not flip this switch in production without extensive testing. Default-deny outbound will break applications that make outbound connections you have not explicitly allowed: and in a standard Windows environment, many processes make outbound connections.

Testing approach:

  1. Enable WFAS audit logging for outbound connections
  2. Review logs for 14 days to identify all outbound connections your applications make
  3. Create allow rules for each legitimate outbound connection
  4. Switch to default-deny outbound in a test environment
  5. Verify all legitimate applications still function
  6. Deploy to production with monitoring for blocked connections
# Enable outbound audit logging (write blocked connections to Windows event log)
Set-NetFirewallProfile -All -LogBlocked True -LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log"

# After reviewing logs, create outbound rules for legitimate traffic
# Example: Allow web browser outbound
New-NetFirewallRule `
    -DisplayName "Allow Chrome Outbound HTTP/HTTPS" `
    -Direction Outbound `
    -Program "C:\Program Files\Google\Chrome\Application\chrome.exe" `
    -Action Allow `
    -Protocol TCP `
    -RemotePort @(80, 443)

# Allow Windows Update
New-NetFirewallRule `
    -DisplayName "Allow Windows Update" `
    -Direction Outbound `
    -Program "%SystemRoot%\system32\svchost.exe" `
    -Service wuauserv `
    -Action Allow `
    -Protocol TCP `
    -RemotePort 443

# Block outbound after creating all required allow rules
Set-NetFirewallProfile -All -DefaultOutboundAction Block

Higher-value outbound blocks that do not require full default-deny:

Even without switching to full default-deny, specific outbound blocks reduce C2 effectiveness:

# Block PowerShell from making outbound connections (reduces fileless malware C2)
# Note: Creates alert value: monitor for blocked events as an indicator of PowerShell abuse
New-NetFirewallRule `
    -DisplayName "Block PowerShell Outbound - Suspicious" `
    -Direction Outbound `
    -Program "%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" `
    -Action Block `
    -Profile Public `
    -Enabled True

# Block cmd.exe outbound connections
New-NetFirewallRule `
    -DisplayName "Block CMD Outbound" `
    -Direction Outbound `
    -Program "%SystemRoot%\System32\cmd.exe" `
    -Action Block `
    -Profile Public

Group Policy Deployment and Monitoring

Deploy WFAS rules via Group Policy:

For enterprise deployment, configure WFAS rules through Group Policy rather than local policy: this ensures consistency across all domain-joined machines and prevents local policy from overriding security configurations.

Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security

Right-click > Import Policy to import a .wfw policy file exported from a reference machine, or configure rules directly in the GPO editor.

Monitor blocked connections via Windows Event Log:

# Find blocked inbound connection attempts (Event ID 5157)
Get-WinEvent -LogName "Security" -FilterXPath "*[System[(EventID=5157)] and EventData[Data[@Name='Direction']='%%14593']]" |
    Select-Object TimeCreated, -ExpandProperty Message |
    Select-Object -First 20

# Monitor via SIEM: Splunk query for blocked outbound (C2 detection value)
index=wineventlog EventCode=5157 Direction=2  /* 2=Outbound */
| eval application=Application
| where NOT application IN ("C:\\Windows\\system32\\svchost.exe", "C:\\Program Files\\...")
| stats count by application, DestAddress, DestPort
| sort -count

Blocked outbound connections from unexpected processes (powershell.exe, cmd.exe, wscript.exe, mshta.exe, regsvr32.exe) are high-fidelity indicators of malware C2 activity: the malware cannot communicate, generates a blocked-connection event, and that event surfaces in your SIEM as an alert.

The DISA STIG and CIS Benchmark settings:

If you need a compliance baseline for WFAS rather than building rules from scratch:

  • CIS Level 1 benchmark for Windows 10/11 includes WFAS settings that enforce enabled state, logging, and profile-appropriate defaults
  • DISA STIG for Windows Firewall provides prescriptive settings for government/high-security environments
  • Both are available as Group Policy Object imports from their respective publishers, reducing manual configuration to validation rather than build.

The bottom line

Windows Firewall with Advanced Security is underutilized at most organizations: the default settings allow all outbound traffic, which gives malware free C2 access. Key configurations: enforce enabled state on all three profiles via Group Policy (users cannot disable), disable inbound rules for services not in use (RDP, file sharing, remote assistance), and block specific high-risk processes from making outbound connections (PowerShell, cmd.exe on Public profile). Enable firewall logging and alert on blocked outbound from unexpected processes: this is one of the highest-signal malware C2 indicators available without additional tooling.

Frequently asked questions

What is Windows Firewall with Advanced Security?

Windows Firewall with Advanced Security (WFAS) is the host-based firewall built into Windows that provides application-specific rules, separate rule sets for Domain, Private, and Public network profiles, outbound traffic filtering, and connection security rules (IPsec). Unlike a network firewall that protects the perimeter, WFAS enforces rules on each individual endpoint regardless of what network it is connected to.

How do I block malware C2 communication with Windows Firewall?

Block outbound connections from processes that legitimate software does not use for internet communication: powershell.exe, cmd.exe, wscript.exe, mshta.exe, and regsvr32.exe. Use New-NetFirewallRule with -Direction Outbound and -Action Block targeting these executables. Enable WFAS logging for blocked connections, then alert in your SIEM on Event ID 5157 (blocked connection) for these processes: it is a high-signal malware indicator.

How do I configure Windows Firewall to only allow specific outbound connections?

Enable default-deny outbound by changing the outbound default rule from Allow to Block in WFAS (Windows Firewall with Advanced Security), then create explicit Allow rules for required connections. This is called an allowlist approach. Recommended rule structure: allow by application path and destination port rather than by IP (IPs change); create rules per application group (browsers on port 443, Windows Update on 443, DNS on port 53). Warning: default-deny outbound causes disruption on first deployment: pilot on 10-20 machines to identify missing rules before broad rollout. This approach is most practical for servers and kiosk systems, not general employee workstations.

How do I deploy Windows Firewall rules via Group Policy?

In Group Policy Management Console: Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Inbound Rules (or Outbound Rules). Add firewall rules here and they will be pushed to all machines in the GPO scope at the next Group Policy refresh (default 90 minutes). For immediate application, run 'gpupdate /force' on target machines. Use Security Filtering on the GPO to apply rules to specific computer groups rather than the entire OU. Test firewall GPOs in a separate test OU before linking to production systems.

What is the difference between Windows Defender Firewall and Windows Firewall with Advanced Security?

Windows Defender Firewall is the end-user interface (Control Panel or Settings) that provides basic on/off controls and simple application allow rules. Windows Firewall with Advanced Security (WFAS) is the full management interface (wf.msc) that exposes all rule capabilities: inbound and outbound rules with granular conditions (port, application path, IP range, service, protocol), connection security rules for IPsec, and monitoring views showing active rules and security associations. For security hardening, always use WFAS directly or Group Policy: the basic interface hides most of the controls needed for a properly configured firewall policy.

How do you use Windows Firewall connection security rules to enforce IPsec between hosts?

Connection security rules in WFAS use IPsec to authenticate and optionally encrypt traffic between Windows hosts: preventing lateral movement even within the same subnet by requiring cryptographic proof of identity before a connection is established. This is the core mechanism behind Microsoft's server isolation and domain isolation architectures. A request rule requires that incoming connections use IPsec authentication (Kerberos or certificate-based) but does not block unauthenticated traffic. A require rule blocks unauthenticated connections entirely, allowing only IPsec-authenticated hosts to communicate. To configure server isolation: create a connection security rule on your sensitive servers (database servers, domain controllers, HR file shares) that requires authentication from domain-joined machines. Non-domain machines, attacker tools running on compromised endpoints without domain credentials, and any host that fails Kerberos authentication cannot establish connections to the isolated server, even though they are on the same network. Configure in WFAS under Connection Security Rules: choose the Isolation rule type, set the requirement to require authentication for inbound and outbound connections, and use Computer and User (Kerberos V5) as the authentication method. Apply via GPO to the server tier you want to isolate. This stops lateral movement from a compromised workstation to a database server because the workstation's compromised process cannot present valid Kerberos credentials for the server's required authentication.

Sources & references

  1. Microsoft: Windows Firewall with Advanced Security Documentation
  2. CIS Windows Server Benchmark: Firewall Configuration
  3. DISA STIG: Windows Firewall

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.