How to Implement a Host-based Firewall on Windows
What are we doing?
This labs consists of 3 exercises that guides us through configuring custom firewall rules for our Windows devices. 1st and 2nd exercise guides us through the handy Windows Defender Firewall GUI to make firewall rules and Exercise 3 shows how to do everything we did in Exercise 1 and 2 through a Command Prompt Terminal.
Why would we want to do this?
So, there’s two different classes of firewalls: host-based firewall, and network-based firewall. Network based firewalls are also considered hardware firewalls, or physical firewalls, that create a perimeter around our entire network like a fortress wall. These firewalls are excellent at protecting our larger network infrastructure from outside attackers, but provide little to no protection within the network (and can be quite expensive).
That’s where host-based firewalls come into play since they primarily run software installed on each individual computer. In order to make sure our network has both a functioning external firewall and internal firewall, we need to make sure we know how to configure host-based firewalls accordingly.
Who would use this?
These skills should be utilized by anybody using the internet, regardless the network and their skillset. It’s imperative we use utilize our networks responsibly and safely, and the first step is to ensure that the proper firewalls are put into place.
Thoughts?
I like Windows Defender as a solid free anti-malware software since it does a pretty good job at defending the network, but I like to use Malwarebytes, as well. I feel that using both together increases the effectiveness of our firewalls since both can defend against attacks the other might not catch.
Vendor
Lab
1.9 — Implement a Host-based Firewall
Lab Learning Outcomes
- Exercise 1 — Configuring Firewall Rules Using Windows Defender Firewall
- Exercise 2 — Configuring Firewall Rules using Windows Defender Firewall with Advanced Security
- Exercise 3 — Configuring Firewall Rules from the Command Line Interface
After completing this lab, we will be able to:
- Configure firewall rules using Windows Defender Firewall
- Configure firewall rules using Windows Defender Firewall with Advanced Security
- Configure firewall rules using Command Line Interface
CompTIA Network+ N10–007 Exam Objectives
- N10–007 2.2 — Given a scenario, determine the appropriate placement of networking devices on a network and install/configure them (Firewall)
- N10–007 5.5 — Given a scenario, troubleshoot common network service issues (Incorrect host-based firewall settings)
Exercise 1
Configuring Firewall Rules Using Windows Defender Firewall
We need to protect our network internally, and host-based (software) firewalls helps us with this. Luckily for us, Windows already comes equipped with a software firewall installed called Windows Defender Firewall.
After completing this exercise, we’ll be able to:
- Configure firewall rules Using Windows Defender Firewall
Task 1 — Verify Network Connection
Two computers are considered connected to each other when they can successfully communicate over the network. We can verify a successful connection by pinging one computer to the other.
In this task, we’ll ping our PLABWIN10 computer from our PLABDC01 computer to verify that communication between them is successful.
Step 1: Connect to PLABDC01 and open a Command Prompt Terminal and input:
ping plabwin10
Our PLABWIN10 device should respond successfully to the pings with 0% packet loss.
Task 1 Complete!
Task 2 — Create a Firewall Rule
A firewall rule defines whether the inbound and outbound traffic to and from a specified device is to be fully, partially, or completely blocked or allowed. We can also specify whether the rule applies to the LAN, WAN, remote access, or all of these modes of operation of the computer. Further, these rules can be easily adjusted to the evolving network environment.
In this task, we’ll create a rule that will block incoming ping packets to our PLABWIN10 device.
Step 1: Connect to PLABWIN10, and open Windows Defender Firewall
Note: Make certain we choose the Windows Defender Firewall and not the Windows Defender Firewall with Advanced Security option. We’ll play with that one in Exercise 2!
Click the Allow an app or feature through Windows Defender Firewall link on the left pane.
Step 2: On the Allowed apps window, Click Change settings and locate the File and Printer Sharing on the Allowed apps and features list and verify that the check box is cleared.
If it is not, clear it, then click OK.
We should be returned to the Windows Defender Firewall window.
Keep this window open.
Task 2 Complete!
Now we know how to configure our firewall to restrict file and printer sharing on our PLABWIN10 device!
Skeptical? Let’s test it in Task 3!
Task 3 — Test the Firewall
The command ping we’ve been using to communicate between two devices ends up being a feature we can only use if File and Printer Sharing is enabled on each device we’re trying to communicate with. This is due to the ping command using ICMP as its vehicle.
Since we just disabled File and Printer Sharing on our PLABWIN10 device, let’s use another device to try and communicate.
In this task, we’ll test whether the ping requests to PLABWIN10 are blocked, as specified by our newly configured firewall rule.
Step 1: Connect once again to our PLABDC01 device. Access the command prompt and input:
ping plabwin10
Notice this time there isn’t a response and the request times out.
That proves to us our newly configured firewall rule we enabled in Task 2 works!
Note: ICMP is included within the File and Printer Sharing functionality of Windows.
Task 3 Complete!
Task 4 — Reconfigure the Firewall Rule
In this task, we’ll reconfigure our firewall on our PLABWIN10 device and disable our previous rule so that File and Printer Sharing is allowed.
Step 1: Connect once again to PLABWIN10.
On the Windows Defender Firewall window, click the Allow an app or feature through Windows Defender Firewall link.
Step 2: On the Allowed apps window, select the File and Printer Sharing check box. Ensure that the Domain check box is enabled too.
Click OK and close all open windows.
Step 3: Return to PLABDC01, and on the Command Prompt, input:
ping plabwin10
PLABDC01 should successfully receive responses from PLABWIN10.
This verifies that the modification of the File and Print Sharing rule has reconfigured the firewall rule to allow the ICMP packets.
Exercise 1 Complete!
Now we know how to modify Windows Defender Firewall and create new rules!
Exercise 2
Configuring Firewall Rules using Windows Defender Firewall with Advanced Security
Windows provides another built-in application for system security — Windows Defender Firewall with Advanced Security. This application offers an expansive view of firewall security and has additional features compared to the simple firewall application.
In this exercise, we’ll create firewall rules using the Windows Defender Firewall with Advanced Security, and we’ll verify their operation.
After completing this exercise, we’ll be able to:
- Configure firewall rules using Windows Defender Firewall with Advanced Security
Task 1 — Verify that Network Connection is Enabled
Once again, to verify network connection between two computers, we’ll ping one computer from the other.
In this task, we’ll ping our PLABDC01 computer from our PLABWIN10 computer.
Thereafter, we’ll create a firewall rule using Windows Defender Firewall with Advanced Security to block this communication.
Step 1: Connect to our PLABDC01 device and right-click the network icon in the system tray and select Open Network & Internet settings.
On Settings — Status window, click the Windows Firewall link at the bottom of the window.
On the Windows Security — Firewall & network protection window, notice that the firewall is on for all the listed types of networks. This is confirmed by the green ticks next to each of the listed network types.
Leave the Windows Firewall window open.
Step 2: Connect to PLABWIN10., and open a Command Prompt Terminal and input:
ping plabdc01
The PLABDC01 device should respond, which verifies our two devices can communicate with each other.
Leave the command prompt window open.
Task 1 Complete!
Task 2 — Create a Firewall Rule Using Windows Defender Firewall with Advanced Security
In this task, instead of disabling the entire File and Printer Sharing feature and losing every resource attached (like connecting to any printers or collaborating files with our team), we’ll now create a firewall rule to only block the ICMP resource.
Step 1: Connect to PLABDC01.
On the Windows Defender Firewall window, click the Advanced Settings link at the bottom of the window.
Step 2: On the Windows Defender Firewall with Advanced Security window, click the Inbound Rules node on the console tree on the left pane.
Note: The Windows Defender Firewall with Advanced Security window might appear in the background of the Windows Firewall window. We can access the advanced security window by clicking its icon on the taskbar.
Inbound Rules pane in the middle of the window displays details of various firewall inbound rules.
Step 3: Scroll down the Inbound Rules pane to find the File and Printer Sharing (Echo Request-ICMPv4-In) rule.
Currently, the rule is activated. This is verified by the green tick next to the listed rule.
Note: We may need to expand the column in order to view the full name of the Inbound Rule.
Right-click the rule and select Properties.
On the File and Printer Sharing (Echo Request-ICMPv4-In) Properties dialog box, ensure that the General tab is selected.
Step 4: In the Action section, select the Block the connection radio button. Click Apply and then click OK.
Notice that the File and Printer Sharing (Echo Request-ICMPv4-In) rule now displays a blocked icon next to it. This confirms that the ICMPv4 access is now blocked.
Leave the Windows Defender Firewall with Advanced Security window open.
Task 2 Complete!
Now we know how to block ICMP by creating a new rule on Windows Defender Firewall with Advanced Security!
Let’s see if it actually works.
Task 3 — Test the Firewall Rule Created
In this task, we’ll test our new rule we just created in Task 2.
Step 1: Return to the PLABWIN10 device, and in the Command Prompt, input:
ping plabdc01
Notice the ping request timed out.
That tells us we’re not getting a response from our PLABDC01 server, and can safely confirm our new firewall is working like it’s supposed to
Leave the command prompt window open.
Task 3 Complete!
Task 4 — Reconfigure the Firewall Rule
In this task, we’ll re-configure PLABDC01 to respond to the ping requests by disabling our new firewall rule.
Step 1: Return to our PLABDC01 device.
On the Windows Defender Firewall with Advanced Security window, in the Inbound Rules pane, right-click File and Printer Sharing (Echo Request-ICMPv4-In) and select Properties.
On the File and Printer Sharing (Echo Request-ICMPv4-In) Properties dialog box, ensure that the General tab is selected.
Step 2: In the Action section, select the Allow the connection radio button and click Apply and then click OK.
Notice that the File and Printer Sharing (Echo Request-ICMPv4-In) rule now displays an allowed icon next to it.
This also should indicate our new firewall rule is now disabled. Let’s test this theory in Step 3.
Keep the Windows Defender Firewall with Advanced Security window open.
Step 3: Return to the PLABWIN10 device. On the Command Prompt, input:
ping plabdc01
The PLABDC01 should respond successfully.
Bingo! We’ve officially disabled our new firewall rule, which allowed us to ping our PLABDC01 device using PABWIN10!
Exercise 2 Complete!
Exercise 3
Configuring Firewall Rules from the Command Line Interface
So, everything we did in Exercise 1 and Exercise 2 can actually be done exclusively in our Command Line Interface (our Terminal). It’s a lot faster and it makes us look like we’re doing something really technical, even though what we’re doing is pretty basic.
After completing this exercise, we’ll be able to:
- Configure Firewall Rules from the Command Line Interface
Task 1 — Configure Firewall to Block Inbound Traffic
In this task, we’ll do exactly what we did in Exercise 2 but with our Terminal instead of the GUI we used earlier.
Step 1: Connect to our PLABDC01 device.
Instead of using Windows Defender Firewall with Advanced Security, let’s use a Command Prompt Terminal
Open a Command Prompt Terminal and input²:
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=block
We should get an Ok. as a response
There, incoming ICMP packets to this device should be restricted, and we should officially have a new firewall rule enabled.
Let’s see if it works.
Step 2: Connect to PLABWIN10.
On the Command Prompt, input the following:
ping plabdc01
Notice that the ping request is timed out. There is no response from the PLABDC01 server. This confirms that the incoming packets to PLABDC01 are blocked, and our new firewall rule is functioning!
Leave the command prompt window open.
Task 1 Complete!
Task 2 — Use CLI Commands to Configure the Firewall
In this task, we’ll use a Command Prompt Terminal again to switch off the firewall for all profiles on our PLABDC01 device.
Step 1: Connect to PLABDC01, and access the Command Prompt Terminal and input:
netsh advfirewall set allprofiles state off
Access the Command Prompt window.
This command switches off the firewall for all the network profiles on PLABDC01.
The system responds to the command with and OK. This confirms that the command was executed successfully.
Minimize the command prompt window, and confirm on the Windows Security window.
Task 2 Complete!
Task 3 — Verify the Efficacy of the Firewall Rule
In this task, we’ll test whether the firewall on our PLABDC01 computer is switched off, as specified by the CLI command we did in Task 2.
Step 1: Still on PLABDC01, select the Windows Security icon on the task bar.
On the Windows Security — Firewall & network protection window, notice that firewall is now switched off for all the profiles on the PLABDC01 computer. This is verified by the red cross-out marks next to each profile.
Step 2: Switch back to PLABWIN10.
On the Command Prompt, input the following:
ping plabdc01
We should get a response since we turned off the firewall on our PABDC01 device in Task 2.
Note: Having the firewall off also means having every firewall rule off, as well.
Task 3 Complete!
Task 4 — Reconfigure the Firewall Using CLI
In this task, we’ll use our Terminal to switch back on the firewall on our PLABDC01 device. In addition, we’ll verify that the firewall is switched on.
Step 1: Switch back to PLABDC01, and access the Command Prompt and input the following:
netsh advfirewall set allprofiles state on
We should receive the OK response confirming that the firewall is switched back on for all the profiles on PLABDC01.
Close the Command Prompt window.
Step 2: Access the Windows Defender Firewall window and verify that the firewall is switched on for all the profiles.
Step 3: Switch back to PLABWIN10.
On the Command Prompt, again input the following:
ping plabdc01
Notice now the request is timed out. This is because the firewall is now switched on and the firewall rule to deny incoming ICMP packets once again is in effect.
Exercise 3 Complete!
[1]: Lab 1.9 Implement a Host-based Firewall
[2]: How to Allow Pings (ICMP Echo Requests) Through Your Windows Firewall
