Windows Defender Firewall with Advanced Security Management with Windows PowerShell - Windows Security (2023)

Windows Defender Firewall with Advanced Security Management and Windows PowerShell guidance provides basic scriptlets to automate Windows Defender Firewall management. It is designed for IT professionals, system administrators, IT managers, and others who use and need to automate the management of Windows Defender Firewall in Windows.

You can use Windows PowerShell to manage firewall and IPsec deployments. This object-oriented scripting environment will make it easier to manage policies and control network conditions compared to netsh. Windows PowerShell allows you to automatically detect network settings using the syntax and parameters of each cmdlet. This guide showed how common tasks were done in netsh and how they can be done using Windows PowerShell.

In future versions of Windows, Microsoft may remove the netsh feature for Windows Defender Firewall. Microsoft recommends switching to Windows PowerShell if you currently use netsh to configure and manage Windows Defender Firewall.

The Windows PowerShell and netsh commands are referenced in the following locations.

• Netsh commands for Windows Defender Firewall

Range

This guide does not cover the basics of Windows Defender Firewall, which can be found atWindows Defender Firewall. It does not teach the basics of Windows PowerShell and assumes that you are familiar with the Windows PowerShell language and the basics of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics atadditional resourceschapter of this guide.

Customer and user requirements

This guide is intended for IT professionals, system administrators, and IT administrators, and it assumes that you are familiar with Windows Defender Firewall, Windows PowerShell, and Windows PowerShell basics.

on this issue

Set Global Profile Defaults

Global defaults set the behavior of the device based on the profile. Windows Defender Firewall supports public, private, and domain profiles.

Enable Windows Defender Firewall with Advanced Security

Windows Defender Firewall rejects traffic that doesn't match the allowed unwanted traffic or traffic sent in response to a device request. If you find that the rules you've created don't apply, you might need to turn on Windows Defender Firewall. Here's how to enable Windows Defender Firewall on your local domain device:

network

netsh advfirewall sets the state of all profiles to

Windows PowerShell

Set-NetFirewallProfile -Profile Domain, Public, Private - Enabled True

Take control of Windows Defender Firewall with advanced security

Global defaults can be defined using the command line interface. These modifications are also available through the Windows Defender Firewall with Advanced Security console.

The following scriptlets set default inbound and outbound actions, specify protected network connections, and allow notifications to be displayed to the user when the program is unable to receive inbound connections. Enables unicast response to broadcast or multicast network traffic and specifies logging settings for troubleshooting.

network

netsh advfirewall set all profiles firewall policy block in, allow out netsh adv firewall set all profiles incoming settings user notification enable netsh adv firewall set all profiles settings unicastrespons to multicast enable netsh adv firewall set all profiles log file name %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

Windows PowerShell

Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow -NotifyOnListen True -AllowUnicastResponseToMulticast True -LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log

Disable Windows Defender Firewall with Advanced Security

Microsoft recommends that you do not disable Windows Defender Firewall, as this will result in the loss of other benefits provided by this service, such as the ability to use Internet Protocol (IPsec) connection security rules, protecting your network from hacker attacks. network Fingerprints,Windows Service Hardening, Iboot time filters.

Disabling Windows Defender Firewall with Advanced Security can also cause problems, including:

• Start menu may stop working
• Modern apps may not install or update
• Windows phone activation failed
• Application or operating system incompatibilities that rely on Windows Defender Firewall

Microsoft recommends disabling Windows Defender Firewall only when a third-party firewall is installed, and restoring Windows Defender Firewall to default settings when third-party software is disabled or removed.

If you need to disable Windows Defender Firewall, do not disable it by stopping the Windows Defender Firewall service (inServicesplugins, the display name is Windows Defender Firewall and the service name is MpsSvc). Microsoft does not support stopping the Windows Defender Firewall service.

Non-Microsoft firewall software can programmatically disable only those parts of Windows Defender Firewall that need to be disabled for compliance. Do not disable the firewall yourself for this purpose.

The proper method to disable Windows Defender Firewall is to disable Windows Defender Firewall profiles and leave the service running.

Use the following procedure to disable the firewall or disable a group policy settingComputer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Profile|Windows Defender Firewall: Protect all network connections.For more information, seeWindows Defender Firewall with Advanced Security Deployment Guide.

The following example disables Windows Defender Firewall for all profiles.

Set-NetFirewallProfile -Profile Domain, Public, Private - Enabled False

Implement basic firewall rules

This section contains sample scriptlets to create, modify, and delete firewall rules.

Create firewall rules

Adding a firewall rule in Windows PowerShell looks a lot like Netsh, but the parameters and values ​​are specified differently.

Here is an example of how to allow Telnet to listen on the network. This firewall rule is limited to the local subnet using a keyword instead of an IP address. Similar to Netsh, the rule is created on the local device and takes effect immediately.

network

netsh advfirewall firewall add rule name="Allow incoming Telnet" dir=in program=%SystemRoot%\System32\tlntsvr.exe remoteip=localsubnet action=allow

Windows PowerShell

New-NetFirewallRule -DisplayName „Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Acción Permitir

The following script shows how to add a basic firewall rule that blocks outgoing traffic from a specific application and a local port to a Group Policy Object (GPO) in Active Directory. In Windows PowerShell, the policy store is specified as a parameter in the fileNew NetFirewallcmdlets. In Netsh, you must first specify the GPO that you want the commands in the Netsh session to modify. The entered commands are executed against the contents of the GPO, and the execution remains in effect until the Netsh session ends or another set store command is executed.

Here,domena.contoso.comis the name of Active Directory Domain Services (ADDS) andgpo_nameis the name of the GPO you want to modify. Quotes are required if there are spaces in the GPO name.

network

netsh advfirewall set store gpo=domain.contoso.com\gpo_namenetsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program=%SystemRoot%\System32\telnet.exe protocol=tcp localport=23 action=block

Windows PowerShell

New-NetFirewallRule -DisplayName "Block outgoing Telnet" -Outgoing address -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -LocalPort23 -Action Block -PolicyStore domain.contoso.com\nazwa_gpo

GPO caching

To reduce the load on busy domain controllers, Windows PowerShell allows you to load a GPO in a local session, make all your changes in that session, and then write it back once.

The following command does the same thing as the previous example (adding a Telnet rule to the GPO), but we do it by applying GPO caching in PowerShell. Changing the GPO, loading it into your local session and using-GPOSesjaparameters are not supported by Netsh

Windows PowerShell

$gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_nameNew-NetFirewallRule -DisplayName „Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $ gpoSave-NetGPO –GPOSession $gpo

This command does not group individual changes, it loads and saves the entire GPO at once. Therefore, if other administrators make other changes or in another Windows PowerShell window, saving the GPO will overwrite those changes.

Modify an existing firewall rule

When a rule is created, Netsh and Windows PowerShell allow you to change the properties and impact of the rule, but the rule retains its unique ID (in Windows PowerShell, this ID is specified with-Nameparameter).

For example, you can have a ruleAllow network 80which enables TCP port 80 for unsolicited incoming traffic. You can change the rule to match a different remote IP address of the web server whose traffic will be allowed by specifying a localized, human-readable name for the rule.

network

netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2

Windows PowerShell

Set-NetFirewallRule – DisplayName „Allow Web 80” – Remote Address 192.168.0.2

Netsh requires a rule name to change it, and we have no other way to get the firewall rule. In Windows PowerShell, you can query a rule by using its known properties.

when you runGet-NetFirewallRule, you may notice that common conditions such as addresses and ports do not appear. These conditions are represented in separate objects called filters. As shown above, you can set all the conditions in New-NetFirewallRule and Set-NetFirewallRule. If you want to query the firewall rules based on these fields (ports, addresses, security, interfaces, services), you must retrieve the filter objects.

You can change the remote endpointAllow network 80rule (as done before) using filter objects. With Windows PowerShell, you query by port using a port filter, and then, assuming there are other rules that affect the local port, you perform more queries until you get the rule you want.

In the following example, we assume that the query returns a single firewall rule, which is then piped toSet NetFirewall rulea cmdlet that uses the ability of Windows PowerShell to pipe input.

Windows PowerShell

Get NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Address -eq "Incoming" -i $_.Action -eq "Allow"} | Set-NetFirewallRule -RemoteAddress 192.168.0.2

You can also query the rules using a wildcard. The following example returns an array of firewall rules associated with the specified program. The elements of the array can be modified later.Set NetFirewall rulecmdlets.

Windows PowerShell

Get-NetFirewallApplicationFilter -Programa "*svchost*" | Get-NetFirewallRule

Multiple rules in a group can be modified simultaneously when the name of the associated group is specified in the Set command. You can add firewall rules to specific management groups to manage multiple rules that have the same impact.

In the following example, we are adding inbound and outbound Telnet firewall rules to a grouptelnet management. In Windows PowerShell, group membership is determined when you create rules, so we're recreating the example rules above. It is not possible to add rules to a custom rule group in Netsh.

Windows PowerShell

New-NetFirewallRule -DisplayName „Allow Telnet In” -Ingress Address -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group „Telnet Management”New-NetFirewallRule -DisplayName „Block Telnet Out” -Output Address - Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group „Telnet Management”

If the group is not specified when creating the rule, the rule can be added to the rule group using the dot notation in Windows PowerShell. You cannot specify a group withSet NetFirewall rulebecause the command allows you to query by rule group.

Windows PowerShell

$rule = Get-NetFirewallRule -DisplayName "Allow Telnet input" $rule.Group = "Telnet management" $rule | Set NetFirewall rule

With the help ofsettingcommands, if the rule group name is specified, the group membership is not modified, but all rules in the group receive the same modifications as indicated by the supplied parameters.

The following script enables all the rules in a predefined group that contains remote management that affects the firewall rules.

network

netsh advfirewall firewall set rule group="Administración remota de Firewall de Windows Defender" new enable=yes

Windows PowerShell

Set-NetFirewallRule -DisplayGroup "Windows Defender Firewall Remote Management" - Enabled True

it is also separateHabilitar-NetFirewallRulecmdlet to enable rules by group or other rule properties.

Windows PowerShell

Enable-NetFirewallRule -DisplayGroup "Windows Defender Firewall Remote Management" -Verbose

Delete the firewall rule

Rule objects can be disabled so that they are no longer active. In Windows PowerShell, the fileDisable-NetFirewallRulethe cmdlet will leave the rule in the system, but will set it to a disabled state so that the rule no longer applies and affects traffic. A disabled firewall rule can be re-enabled byHabilitar-NetFirewallRule. This cmdlet is different from the cmdletDelete NetFirewall rule, which permanently removes the rule definition from the device.

The following cmdlet removes the specified existing firewall rule from the local policy store.

network

netsh advfirewall firewall delete rule name="Allow Web 80"

Windows PowerShell

Remove-NetFirewallRule –DisplayName "Permitir Web 80"

As with other cmdlets, you can also query for delete rules. Here all the blocking firewall rules are removed from the device.

Windows PowerShell

Remove-NetFirewallRule – action block

It may be safer to consult the rules withgetcommand and store it in a variable, follow the rules it affects, then pipe it toto deletecommand as we did forsettingcommands The following example shows how you can view all the blocking firewall rules and then delete the first four rules.

Windows PowerShell

$x = Get-NetFirewallRule – Action Block $x$x[0-3] | Delete NetFirewall rule

Manage remotely

Remote management with WinRM is enabled by default. Cmdlet supportcim sessionThe parameter uses WinRM and can be remotely managed by default.

The following example returns all the persistent storage firewall rules on a device namedremote device.

Windows PowerShell

Get-NetFirewallRule – CimSession RemoteDevice

We can make modifications or view rules on remote devices using–CimSessionparameter. Here we remove the specified firewall rule from the remote device.

Windows PowerShell

$RemoteSession = New-CimSession –ComputerName RemoteDeviceRemove-NetFirewallRule –DisplayName „AllowWeb80” –CimSession $RemoteSession -Confirm

Implement basic IPsec rule configuration

Internet Protocol security (IPsec) policies consist of rules that determine the behavior of IPsec. IPsec supports network-level peer-to-peer authentication, data source authentication, data integrity, data confidentiality (encryption), and replay protection.

Windows PowerShell can create complex and advanced IPsec policies like Netsh and Windows Defender Firewall with the Advanced Security Console. However, because Windows PowerShell is based on objects instead of token strings, configuration in Windows PowerShell gives you more control and flexibility.

In Netsh, authentication and cipher suites were specified as a comma-separated list of tokens in a specific format. In Windows PowerShell, instead of using the default settings, you first create the desired authentication or cryptographic proposal objects and combine them into lists in the order you prefer. Then, create one or more IPsec rules that reference these sets. The advantage of this model is that programmatic access to rule information is much easier. See the sections below for an explanation of the examples.

Create IPsec rules

The following cmdlet creates a basic IPsec transport mode rule in the GPO. An IPsec rule is easy to create; all that is required is the display name and the rest of the properties use default values. Incoming traffic is authenticated and integrity verified using the default Quick Mode and Main Mode settings. These defaults can be found in the console under Customize IPsec Defaults.

network

netsh advfirewall set store gpo=domain.contoso.com\gpo_namenetsh advfirewall consec add rule name="Require incoming authentication" endpoint1=any endpoint2=any action=require request

Windows PowerShell

New-NetIPsecRule -DisplayName "Require sign-in authentication" -PolicyStore domain.contoso.com\gpo_name

Add custom authentication methods to the IPsec rule

If you want to create a custom quick mode proposal set that includes both AH and ESP in one IPsec rule object, create the related objects separately and merge them together. For more information on authentication methods, seeIPsec selection.

You can then use the newly created custom fast mode policy when creating IPsec rules. The crypto suite object is linked to the IPsec rule object.

In this example, we build on the IPsec rule created earlier by specifying a custom crypto suite in quick mode. The IPsec final rule requires outgoing traffic to be authenticated with a specific cryptographic method.

network

netsh advfirewall set store gpo=domain.contoso.com\gpo_namenetsh advfirewall consec add rule name="Wymagaj uwierzytelniania ruchu wychodzącego" endpoint1=any endpoint2=any action=requireinrequestout qmsecmethods=ah:sha1+esp:sha1-3des

Windows PowerShell

$ Ahanddespqm = New-NEETSCQUICKMOPToproposal-encapsulation AH, ESP -AHHASH SHA1 —ESPHASH SHA1-encryption DES3 $ QMCryptoset = New-NEWSTIPSECQUICKMYPTOSET- $ ahanddspqm - policystore domain.contoso.com \gpo_nameNew-NetIPsecRule -DisplayName "Requerir autenticación de entrada" -InboundSecurity Require -Solicitud de OutboundSecurity -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore dominio.contoso.com\gpo_name

IKEv2 IPsec Transport Rules

A corporate network may need secure communications with another agency. However, he discovers that the agency uses operating systems other than Windows and requires the use of Internet Key Exchange Version 2 (IKEv2).

IKEv2 capabilities can be applied to Windows Server 2012 by specifying IKEv2 as a key module in the IPsec rule. This capability specification can only be done using machine certificate authentication and cannot be used with Phase 2 authentication.

Windows PowerShell

New-NetIPsecRule -DisplayName "Requerir autenticación entrante" -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway

For more information about IKEv2, including scenarios, seeSecure end-to-end IPsec connections with IKEv2.

Copy IPsec rule from one policy to another

Firewall and IPsec rules with the same properties can be duplicated to make it easy to recreate them in different policy stores.

To copy a previously created rule from one policy store to another, the related objects must also be copied separately. It is not necessary to copy the related firewall filters. You can query the rules to be copied in the same way as with other cmdlets.

Copying individual rules is a task that cannot be done through the Netsh interface. This is how you can achieve it with Windows PowerShell.

Windows PowerShell

$Regla = Get-NetIPsecRule –DisplayName "Require incoming authentication"$Regla | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name$Rule | Copy-NetPhase1AuthSet – NewPolicyStore domain.costoso.com\new_gpo_name

Windows PowerShell error handling

To handle errors in Windows PowerShell scripts, you can use–Error Actionparameter. This parameter is especially useful forto deletecmdlets. If you want to delete a specific rule, you will notice that it fails if the rule is not found. When deleting rules, if the rule doesn't exist yet, you can ignore this error. In this case, you can do the following to ignore any "rule not found" errors during the delete operation.

Windows PowerShell

Remove-NetFirewallRule –DisplayName „Contoso Messenger 98” –ErrorAction SilentlyContinue

Using wildcards can also suppress errors, but they might match rules you didn't intend to remove. These wildcards can be a useful shortcut, but you should only use them if you know there aren't any extra rules that you're accidentally removing. So the following cmdlet will also remove the rule and remove any "not found" errors.

Windows PowerShell

Remove-NetFirewallRule –DisplayName „Contoso Messenger 98*”

When using wildcards, if you want to double check which ruleset matches, you can use-And ifparameter.

Windows PowerShell

Remove-NetFirewallRule –DisplayName „Contoso Messenger 98*” –WhatIf

If you want to remove only some matching rules, you can use the method-Confirmparameter to request confirmation on a rule-by-rule basis.

Windows PowerShell

Remove-NetFirewallRule – DisplayName „Contoso Messenger 98*” – Potwierdź

You can also just perform the entire operation by displaying the name of each rule as you perform the operation.

Windows PowerShell

Remove-NetFirewallRule –DisplayName „Contoso Messenger 98*” –Detallado

Monitor

The following Windows PowerShell commands are useful in the deployment phase upgrade cycle.

To allow you to view all the IPsec rules in a specific store, you can use the following commands. On Netsh, this command does not show rules where profile=domain,public or profile=domain,private. It only shows rules that have a single entry domain included in the rule. The command examples below will display the IPsec rules in all profiles.

network

netsh advfirewall conse show rule nombre = todos

Windows PowerShell

Show-NetIPsecRule –PolicyStore ActiveStore

You can monitor security links in main mode to obtain information such as the peers that are currently connected to the device and which protection suite is used to create security links.

Use the following cmdlet to view existing main mode rules and their security bindings:

network

netsh advfirewall monitor shows all mms

Windows PowerShell

Get-NetIPsecMainModeSA

Locate the source GPO of the rule

To view the properties of a specific rule or group of rules, view the rule. When the query returns the fields that are specified asnot configured, you can specify which policy store the rule comes from.

For objects originating from a GPO (so-called–Policy store source typethe parameter is specified asgroup policywShowcommand) yes–TracePolicyStoreis passed, the GPO name will be found and returned in the filePolicy Store Sourcepolo.

Windows PowerShell

Get-NetIPsecRule - DisplayName "Require inbound authentication" - TracePolicyStore

It should be noted that the leaked sources do not include the domain name.

Implement a basic domain isolation policy

IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require domain-joined devices to positively identify communicating devices to enhance organizational security. One or more IPsec functions can be used to protect traffic with an IPsec rule object.

To implement domain isolation on a network, devices in the domain receive IPsec rules that block unwanted incoming network traffic that is not protected by IPsec. Here we create an IPsec rule that requires domain members to authenticate. With this authentication, you can isolate domain-joined devices from non-domain-joined devices. In the following examples, Kerberos authentication is required for incoming traffic and for outgoing traffic.

network

netsh advfirewall set store gpo=domain.contoso.com\domain_isolationnetsh advfirewall consec add rule name=“Política básica de aislamiento de dominio” profile=domain endpoint1=”any” endpoint2=”any” action=requireinrequestout auth1=”computerkerb”

Windows PowerShell

$kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName „Kerberos Auth Phase1” -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolationNew-NetIPsecRule –DisplayName „Podstawowe zasady izolacji domeny” –Domen un perfil - Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation

Configure IPsec Tunneling Mode

The following command creates an IPsec tunnel that routes traffic from the private network (192.168.0.0/16) through the interface of the local device (1.1.1.1) connected to the public network to the other device through its public interface ( 2.2.2.2). ) to another private network (192.157.0.0/16). All tunnel traffic is verified for integrity using ESP/SHA1 and encrypted using ESP/DES3.

network

netsh advfirewall consec add rule name="Tunel od 192.168.0.0/16 do 192.157.0.0/16" mode=tunnel endpoint1=192.168.0.0/16 endpoint2=192.157.0.0/16 localtunnelendpoint=1.1.1.1 remotetunnelendpoint=2.2.2.2 akcja =requerir enrequerir qmsecmethods=esp:sha1-3des

Windows PowerShell

$QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Szyfrowanie DES3$QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName „esp:sha1-des3” -Proposal $QMProposalNew-NetIPSecRule -DisplayName „Tunel od siedziby głównej do oddzia łu w Dallas” -Modo Túnel - LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name

Implement secure firewall rules with IPsec

In situations where only secure traffic can be allowed through Windows Defender Firewall, a combination of manually configured firewall and IPsec rules is required. Firewall rules determine the security level of packets allowed, and basic IPsec rules protect the traffic. The scenarios can be implemented in Windows PowerShell and Netsh, with many similarities in the implementation.

Create a secure firewall rule (allow if secure)

Configuring a firewall rule to allow connections if they are secure requires that the relevant traffic be authenticated and protected, and then optionally encrypted by IPsec.

The following example creates a firewall rule that requires traffic authentication. The command allows incoming Telnet traffic only if the connection from the remote device is authenticated by a separate IPsec rule.

network

netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in program=%SystemRoot%\System32\tlntsvr.exe security=authenticate action=allow

Windows PowerShell

New-NetFirewallRule -DisplayName "Allow authenticated Telnet" -Login address -Program %SystemRoot%\System32\tlntsvr.exe -Authentication required -Action Allow

The following command creates an IPsec rule that requires a first authentication (computer) and then attempts an optional second authentication (user). Creating this rule protects and allows traffic through the IM firewall rule requirements.

network

netsh advfirewall consec add rule name="Authenticate both computer and user" endpoint1=any endpoint2=any action=requireinrequireout auth1=computerkerb, computerntlm auth2=userkerb,userntlm,anonymous

Windows PowerShell

$mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos$mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM$P1Auth = New-NetIPsecPhase1AuthSet -DisplayName „Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop$ukerbauthprop = New-NetIPsecAuthProposal — U żytkownik — Kerberos $ unentlmauthprop = New-NetIPsecAuthProposal -User -NTLM$anonyauthprop = New-NetIPsecAuthProposal -Anonymous$P2Auth = New-NetIPsecPhase2AuthSet -DisplayName „Uwierzytelnianie użytkownika” -Propozycja $ukerbauthprop,$unentlmauthprop,$anonyauthpropNew-NetIPSecRule -DisplayName me „Uwierzytelnij komputer i użytkownika” -InboundSecurity Requerido -OutboundSecurity Requerido -Phase1AuthSet $P1Auth.Name –Phase2AuthSet $P2Auth.Name

Isolate the server by requesting encryption and group membership

To improve the security of your organization's devices, you can implement domain isolation where domain members are restricted. They require authentication when they communicate with each other and reject unauthenticated incoming connections. To improve the security of servers with sensitive data, that data must be protected by allowing access to only a subset of devices in the corporate domain.

IPsec can provide this additional layer of protection by isolating the server. In server isolation, access to sensitive data is limited to users and devices with legitimate business needs, and data is further encrypted to prevent eavesdropping.

Create a firewall rule that requires group membership and encryption

To implement server isolation, we overlay a firewall rule that restricts traffic to authorized users or devices over an IPsec rule that enforces authentication.

The following firewall rule allows Telnet traffic from user accounts that belong to a custom group called "Authorized to access server." This access can be further restricted by device, user, or both by specifying restriction parameters.

A Security Descriptor Definition Language (SDDL) string is created by extending the security identifier (SID) of a user or group. For more information on how to find the SID of a group, see:Find the SID for a group account.

Restricting group access allows administrations to extend strong authentication support with Windows Defender Firewall and/or IPsec policies.

The following example shows how to create an SDDL string that represents security groups.

Windows PowerShell

$usuario = nowy obiekt System.Security.Principal.NTAccount („corp.contoso.com\Administrators”)$SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value$secureUserGroup = "D: ( A;;CC;;;$SIDofSecureUserGroup)"

Using the script above, you can also get the SDDL string for a secure group of computers as shown here:

Windows PowerShell

$SecureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)"

For more information on creating security groups or specifying an SDDL string, seework with SIDs.

Telnet is an application that does not provide encryption. This application can send data such as names and passwords over the network. This data can be intercepted by malicious users. If your administrator wants to allow Telnet but protect the traffic, you can create a firewall rule that requires IPsec encryption. This firewall rule is required so that the administrator can ensure that all traffic sent or received on this port is encrypted when using this application. If IPsec does not authorize the connection, traffic from that application is not allowed.

In this example, we only allow authenticated and encrypted incoming Telnet traffic from a specific secure group of users by creating the following firewall rule.

network

netsh advfirewall set store gpo=domain.contoso.com\Server_Isolationnetsh advfirewall firewall add rule name="Allow incoming encrypted telnet only for group members" program=%SystemRoot%\System32\tlntsvr.exe protocol=TCP dir=in action=allow localport =23 seguridad=autenticación rmtusrgrp="D:(A;;CC;;;S-1-5-21-2329867823-2610410949-1491576313-1735)"

Windows PowerShell

New-NetFirewallRule -DisplayName "Allow encrypted inbound Telnet for group members only" -Program %SystemRoot%\System32\tlntsvr.exe -TCP Protocol -Input Address -Action Allow -LocalPort23 -Authentication required -Encryption required -Remote User $secureUserGroup - Policy store domain .contoso.com\Server_Isolation

Endpoint Security Compliance

The example above shows end-to-end protection for a specific application. In situations where multiple applications require endpoint protection, having a firewall rule for each application can be cumbersome and difficult to manage. Authorization can be overridden rule by rule and done at the IPsec layer.

In this example, we configure the global IPsec settings to only allow transport mode traffic that originates from an authorized group of users using the following cmdlet. See the previous examples on how to work with security groups.

Windows PowerShell

Set-NetFirewallSetting-RemoteMachineTransportAuthorizationList $secureMachineGroup

Create firewall rules that allow network traffic protected by IPsec (authenticated bypass)

Authenticated bypass allows traffic from a specific trusted user or device to bypass firewall blocking rules. This override is useful when an administrator wants to use scan servers to monitor and update devices without having to use port-level exceptions. For more information, seeHow to enable authenticated firewall bypass.

In this example, we assume there is a blocking firewall rule. In this example, any network traffic on any port from any IP address can override the block rule if the traffic is authenticated as coming from a device or user account that is a member of the specified device or user security group.

network

netsh advfirewall set store gpo=domain.contoso.com\domain_isolationnetsh advfirewall firewall add rule name="Regla de omisión de entrada segura" dir=in security=authenticate action="bypass" rmtcomputergrp="D:(A;;CC;;; S -1-5-21-2329867823-2610410949-1491576313-1114)" rmtusrgrp="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"

Windows PowerShell

New-NetFirewallRule - DisplayName "Secure Entry Omission Rule" - Entry Address - Authentication Required - OverrideBlockRules $true -RemoteMachine $secureMachineGroup -RemoteUser $secureUserGroup -PolicyStore domain.contoso.com\domain_isolation

Another resources

For more information about Windows PowerShell concepts, see the following topics.

• Getting Started with Windows PowerShell Guide

• Windows PowerShell User's Guide

• Windows PowerShell help topic information

• over_functions

• about_Features_Advanced

• about_Execution_Policies

• about_Foreach

• on_objects

• about_properties

• or_while

• about_scripts

• over_sign

• on_roll

• about_PSSessions

• about_modules

• about_Command_Priority