Windows Defender Firewall with Advanced Security is far more capable than the simple on/off toggle most people use. With proper rules, profiles, and logging, it becomes a real host-based firewall that limits lateral movement inside your network. Here is how to configure it for a server fleet.
Understand the three profiles
The firewall has Domain, Private, and Public profiles, each with independent rules. On a server, the Domain profile applies when connected to your Active Directory domain. Configure each profile deliberately rather than copying rules blindly across all three.
Step 1: Default to blocking inbound
Set the inbound default action to Block for all profiles, then explicitly allow only the ports each server role needs. A file server needs SMB; a web server needs 80 and 443. Everything else stays closed. This is the opposite of the permissive default many environments drift into.
Step 2: Control outbound traffic
Most environments leave outbound traffic unrestricted, which lets malware phone home freely. For sensitive servers, switch the outbound default to Block and allow only the specific destinations the server legitimately needs to reach. This is more work but contains compromised hosts.
Step 3: Scope rules tightly
Do not just open a port — scope the rule to the specific source addresses allowed to use it. Limiting RDP to your management subnet, for example, means a compromised user workstation cannot reach the server's RDP port at all.
Step 4: Enable firewall logging
Turn on logging for dropped packets and successful connections per profile. Point the log to a known path and review it, or forward it to a central collector. Without logging you are blind to what the firewall is actually doing.
Step 5: Deploy via Group Policy
Configuring servers one by one does not scale. Build your firewall rules into a Group Policy Object and link it to the relevant OU so every server inherits a consistent, version-controlled baseline. Test the GPO on a pilot server before broad deployment.
A well-configured host firewall is a quiet but powerful control. Default-deny inbound, scope every rule, log everything, and deploy through Group Policy for consistency.
Korur Security Team
فريق الأمن كورور