PRACTITIONER GUIDE | NETWORK SECURITY
Practitioner GuideUpdated 11 min read

Windows Firewall with Advanced Security: How to Use Host-Based Rules for Lateral Movement Prevention

Workstation-to-workstation
SMB and WMI connections are the primary lateral movement mechanism in Windows environments. Blocking inbound SMB (port 445) and WMI (port 135 + dynamic RPC) from other workstations while allowing them from management servers eliminates the most common post-exploitation movement technique
Free and built-in
Windows Firewall with Advanced Security is included in every edition of Windows. Deploying workstation isolation rules via Group Policy requires no additional software, licensing, or hardware. The barrier to deployment is operational (testing, validation) not financial
GPO deployment
pushes WFAS rules to endpoints via Group Policy, applying consistently across the fleet without requiring local admin access on individual machines. Rules deployed via GPO appear as greyed-out in local WFAS UI, preventing user or attacker modification without GPO override
Connection security rules
are a separate WFAS feature that enforces IPsec authentication for connections between machines -- allowing 'only authenticated domain machines can reach this server' policies. This is distinct from standard inbound/outbound filter rules and provides identity-based segmentation

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Network firewalls segment between subnets. Windows Firewall with Advanced Security segments at the host level -- each endpoint enforces its own inbound rules regardless of which VLAN it is on. This matters because most lateral movement in Windows environments happens between workstations on the same subnet (same VLAN, same network segment), which a perimeter or inter-VLAN firewall never sees. Blocking SMB and WMI connections between workstations via GPO-deployed WFAS rules is a high-impact, zero-cost control that eliminates the most common tool-assisted lateral movement paths.

Design the Workstation Isolation Rule Set

The core pattern: block inbound SMB and WMI/RPC from the workstation IP range, except from designated management servers and DCs.

Define your IP groups before writing rules:

  • Workstation subnets (e.g., 10.10.0.0/16)
  • Management server IPs (your jump servers, monitoring systems, SCCM/Intune, vulnerability scanners)
  • Domain controller IPs
  • Server subnets (to be exempted from workstation-to-workstation rules)

The three rules that matter most for workstation isolation:

  1. Block inbound SMB from workstations: Prevents SMB lateral movement (PsExec, Impacket, standard admin shares)
  2. Block inbound WMI/DCOM from workstations: Prevents WMI-based lateral movement (wmiexec, Invoke-WMIMethod)
  3. Block inbound RDP from workstations (optional): Prevents RDP pivoting between workstations

Exceptions required:

  • Allow SMB from DCs (Group Policy, SYSVOL, Netlogon)
  • Allow SMB from management servers (SCCM, monitoring agents, backup)
  • Allow WMI from monitoring systems
  • Allow RDP from jump servers / PAWs only

Deploy Workstation Isolation Rules via Group Policy

Create a GPO applied to the Workstations OU.

Group Policy path: Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules

Rule 1: Block inbound SMB from workstation subnets (except management)

  • Right-click Inbound Rules > New Rule
  • Rule type: Custom
  • Program: All programs
  • Protocol: TCP, Local port: 445
  • Scope > Remote IP addresses: [Your workstation subnets, e.g., 10.10.0.0/16]
  • Action: Block the connection
  • Profile: Domain, Private, Public
  • Name: WFAS-BLOCK-SMB-From-Workstations

Rule 2: Allow SMB from management servers (process BEFORE the block rule):

  • Same settings but:
  • Remote IP addresses: [Your management server IPs, DC IPs]
  • Action: Allow the connection
  • Name: WFAS-ALLOW-SMB-From-Management
  • Order matters: Allow rules are evaluated before Block rules with the same specificity. Use GPO rule ordering or naming conventions to verify the allow rule is not overridden.

Deploy and verify with PowerShell:

# Verify rules are applied on an endpoint after GPO applies
Get-NetFirewallRule | Where-Object { $_.Name -like 'WFAS-*' } |
    Select-Object Name, Enabled, Action, Direction

# Test: try to connect to SMB on a workstation from another workstation
# (should be blocked after the rule applies)
Test-NetConnection -ComputerName [workstation-IP] -Port 445
# Expected: TcpTestSucceeded : False

# Verify the firewall profile is active (Domain profile should be active on domain-joined machines)
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Configure Connection Security Rules for Domain Isolation

Connection security rules enforce IPsec authentication for connections between machines. Domain isolation uses them to ensure only domain-joined machines can reach protected servers.

Basic domain isolation setup:

GPO for all domain members: Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Connection Security Rules

  • New Rule > Isolation
  • Require authentication for inbound and outbound connections
  • Authentication method: Computer and User (Kerberos V5)
  • Profile: Domain
  • Name: Domain-Isolation-Require-Auth

This causes all domain members to request IPsec authentication for connections to each other. Machines that cannot authenticate (non-domain devices) cannot connect to domain members on protected ports.

Server isolation (for sensitive servers):

GPO on the Servers OU -- restrict inbound connections to domain-authenticated sources only:

# Connection security rule on the server:
# Require authentication: Inbound connections must be authenticated
# Allowed membership: Specific AD group (e.g., 'Authorized-Server-Access')
# This supplements WFAS inbound filter rules with identity-based authentication

Exemptions for non-domain devices: Create an IPsec exemption for devices that cannot do Kerberos (printers, IoT, non-Windows devices):

  • New Connection Security Rule > Authentication exemption
  • Specify the IP addresses of non-domain devices to exempt

Audit Current WFAS Rules and Verify Effectiveness

Audit all active firewall rules on an endpoint:

# Full WFAS rule dump
Get-NetFirewallRule -PolicyStore ActiveStore |
    Get-NetFirewallPortFilter |
    Select-Object @{N='Name';E={$_.InstanceID}}, Protocol, LocalPort, RemotePort |
    Export-Csv C:\WFAS-Audit.csv -NoTypeInformation

# Find rules that allow inbound SMB
Get-NetFirewallRule -Direction Inbound -Action Allow |
    Where-Object { $_.Enabled -eq 'True' } |
    Get-NetFirewallPortFilter |
    Where-Object { $_.LocalPort -eq '445' -or $_.LocalPort -eq 'Any' }

Check the current firewall profile and default actions:

Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction
# For domain-joined machines, Domain profile should be: Enabled=True, DefaultInboundAction=Block
# If DefaultInboundAction=Allow, all inbound traffic is allowed by default
# (explicit block rules still work, but the posture is permissive)

Test that workstation isolation is effective:

# From WorkstationA, try to reach WorkstationB's SMB
Test-NetConnection -ComputerName [WorkstationB-IP] -Port 445
# Expected after rule deployment: TcpTestSucceeded : False
# TcpTestSucceeded : True means the rule is not applied or has an exception

# From a management server, verify management access still works:
Test-NetConnection -ComputerName [WorkstationA-IP] -Port 445
# Expected: TcpTestSucceeded : True (management server is exempted)

The bottom line

WFAS workstation isolation is one of the highest-return GPO configurations for lateral movement prevention. The deployment order: map your management server and DC IPs, write allow rules for those sources first, write the workstation-subnet block rules, test in a pilot OU, validate management tools still work, expand to the fleet. The most common mistake is enabling the block rule without the management server allow rule -- validate the allow rule is working before the block rule goes fleet-wide.

Frequently asked questions

Does Windows Firewall with Advanced Security work with VPN clients?

It depends on the VPN client and how it integrates with the Windows networking stack. Most enterprise VPN clients (Cisco AnyConnect, Palo Alto GlobalProtect, Zscaler Client Connector) add a virtual network adapter that Windows treats as an additional network interface. WFAS rules on the Domain profile apply to the corporate network connection. The VPN adapter typically gets the Public or Private profile depending on its authentication state. Review your VPN client documentation for which Windows firewall profile applies to the VPN adapter, and ensure your rules cover the correct profiles. Some VPN clients also install their own firewall rules that may interact with WFAS.

Will blocking workstation-to-workstation SMB break any legitimate use?

Rarely in environments with proper IT hygiene. The cases where it breaks: users sharing folders directly from their workstation to other users (peer-to-peer file sharing, not going through a file server), some older IT tools that connect to workstations via SMB (legacy asset management tools, older backup agents), and users who remotely access their own workstation from another workstation via mapped drives. Survey for these use cases before deploying, and document exceptions. In a well-managed environment, file sharing should go through designated file servers (which are exempted from the workstation block rule), not between workstations directly.

How does Windows Firewall interact with Microsoft Defender Firewall in Intune?

They are the same product -- Microsoft Defender Firewall and Windows Firewall with Advanced Security are the same underlying engine, accessed via different management interfaces. The Intune Endpoint Security Firewall profile configures Windows Firewall settings and rules. Group Policy WFAS settings configure the same engine via SYSVOL-delivered policy. When both are configured, GPO settings take precedence over MDM settings for most firewall configuration, with some exceptions. As you migrate from GPO to Intune, remove firewall rules from GPO and validate their Intune equivalents are effective before the GPO version is removed.

Can Windows Firewall rules be modified by a local administrator after GPO deployment?

In most cases, no. Rules deployed via Group Policy are marked as GPO-managed and appear greyed-out in the local Windows Firewall GUI. A local administrator cannot delete or modify GPO-delivered rules via the GUI or via Remove-NetFirewallRule (which returns an error for policy-deployed rules). An attacker with local admin access can disable the firewall profiles entirely (Set-NetFirewallProfile -Enabled False), which disables all rules including GPO ones -- but this requires local admin and generates an auditable event. Use the WFAS GPO setting to prevent profile disabling: Computer Configuration > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections: Enabled.

How do I use Windows Firewall for micro-segmentation between server tiers without a hardware firewall?

Create connection security rules and firewall rules that implement tier-based access control at the host level. Define three firewall rule categories: inbound rules on Tier 0 servers (DCs) that allow only Tier 0 management sources (PAW IPs) and necessary service ports; inbound rules on Tier 1 servers that allow access from Tier 1 management sources and permitted application sources; inbound rules on workstations that block any inbound administrative connections except from IT management IPs. Use Group Policy to deploy the rules by OU: one GPO for domain controllers, one for Tier 1 servers, one for workstations. This provides logical micro-segmentation enforced at the OS level, complementing network-level controls.

How do I troubleshoot Windows Firewall rules that are unexpectedly blocking legitimate traffic?

Enable Windows Firewall logging: in the advanced firewall settings, enable dropped packet logging to %systemroot%\system32\LogFiles\Firewall\pfirewall.log. The log captures source IP, destination IP, port, protocol, and the action (DROP or ALLOW) for each packet. For interactive troubleshooting, use the Windows Firewall Troubleshooter in the Microsoft 365 admin center or the Get-NetFirewallRule and Test-NetConnection cmdlets. To identify which specific rule is blocking traffic: `Get-NetFirewallRule | Where-Object {$_.Enabled -eq 'True' -and $_.Action -eq 'Block'} | Select-Object DisplayName, Direction, Protocol` lists all active block rules. For connection security (IPsec) issues that appear as firewall blocks: check `Get-NetConnectionProfile` to confirm the network profile (Domain, Private, Public) matches the firewall profile the rules are applied to. Traffic blocked because a connection is classified as Public profile instead of Domain profile is a common issue when domain authentication is slow.

Sources & references

  1. Microsoft -- Windows Firewall with Advanced Security design guide
  2. Microsoft -- Domain Isolation using Windows Firewall

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.