Windows Firewall with Advanced Security (WFAS) Basics

Windows Firewall with Advanced Security (WFAS) allows you to create rules based on port addresses and services, unlike the basic Windows Firewall where you can create rules based on programs. The basic Windows Firewall should be enough for the normal safe operation of your computer but advanced users can use WFAS to:

  • Configure inbound and outbound rules
  • Configure rules based on protocol type and port address
  • Configure rules based on specific services
  • Configure a scope for rules based on source or destination address
  • Configure rules based on authenticated traffic
  • Configure connection security rules

WFAS becomes handy in instances where you need to enable a rule that allows traffic for a specific service while connected to one network profile. For example, you can allow FTP traffic for the Domain (Work) Profile but not for the Public Profile. This would mean that computers at your work place can connect to your computer hosting an FTP service, whereas such traffic is blocked when you’re connected to another network or the Internet elsewhere.

You can access the WFAS snap-in either by typing Windows Firewall with Advanced Security from the Start search text box or clicking the Advanced settings item in Control Panel\System and Security\Windows Firewall. The WFAS snap-in displays which network profiles are currently active as shown below:

When you need to implement a firewall configuration to several computers in an organization you can use Group Policies, however, if such configuration is to be pushed to stand-alone computers, you can replicate firewall configurations using the WFAS Import Policy and Export Policy options found in the WFAS snap-in or console. In addition, Import and Export options allow you to save the current firewall configuration state before you make changes to it. Exported policy files end with the .wfw extension and use a binary format. The Import and Export features are also available with the command line tool netsh such as, the netsh advfirewall export or netsh advfirewall import commands.

It is worth mentioning a couple of points related to the command line tool netsh which is so popular among systems administrators and Windows advanced users. In my opinion the main advantages of netsh are the ability to use it within scripts that create firewall rules for several computers which are not subject to domain applied Group Policies and its integration with Windows Remote Shell (WinRS) where you can manage remote computer’s firewall configurations.

To use netsh.exe to create WFAS rules, you need to invoke an elevated command prompt and be in the advfirewall firewall context. For example:

To create a rule named MyWebServer that applies in the domain profile and allows inbound traffic on TCP port 80, from an elevated command prompt type:

netsh advfirewall firewall add rule name=”MyWebServer” profile=domain protocol=TCP dir=in localport=80 action=allow

To create a rule that allows inbound traffic to an executable named MyApp in all network profiles, from an elevated command prompt type:

netsh advfirewall firewall add rule name=”MyApp” dir=in program=”c:\windows\system32\MyApp.exe”

To read more about WFAS and how to create rules go here.