{"id":14063664,"url":"https://github.com/metablaster/WindowsFirewallRuleset","last_synced_at":"2025-07-29T16:30:55.682Z","repository":{"id":45556658,"uuid":"227706307","full_name":"metablaster/WindowsFirewallRuleset","owner":"metablaster","description":"PowerShell scripts to automatically create rules for Windows firewall","archived":false,"fork":false,"pushed_at":"2024-11-05T16:32:18.000Z","size":15251,"stargazers_count":165,"open_issues_count":0,"forks_count":37,"subscribers_count":10,"default_branch":"master","last_synced_at":"2024-11-05T17:34:42.028Z","etag":null,"topics":["automatic","automation","automation-framework","firewall","firewall-management","firewall-rules","gpo","gpo-firewall","powershell","powershell-adminscripts","rules","ruleset","security","windows","windows-firewall"],"latest_commit_sha":null,"homepage":"https://metablaster.github.io/WindowsFirewallRuleset/","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/metablaster.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":"SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"custom":"https://paypal.me/metablaster"}},"created_at":"2019-12-12T22:14:30.000Z","updated_at":"2024-09-19T20:13:47.000Z","dependencies_parsed_at":"2023-12-10T20:27:07.554Z","dependency_job_id":"33c353dc-eaec-4e5f-94a1-9df71560382c","html_url":"https://github.com/metablaster/WindowsFirewallRuleset","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metablaster%2FWindowsFirewallRuleset","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metablaster%2FWindowsFirewallRuleset/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metablaster%2FWindowsFirewallRuleset/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/metablaster%2FWindowsFirewallRuleset/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/metablaster","download_url":"https://codeload.github.com/metablaster/WindowsFirewallRuleset/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228028607,"owners_count":17858360,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automatic","automation","automation-framework","firewall","firewall-management","firewall-rules","gpo","gpo-firewall","powershell","powershell-adminscripts","rules","ruleset","security","windows","windows-firewall"],"created_at":"2024-08-13T07:03:27.028Z","updated_at":"2024-12-04T01:31:10.657Z","avatar_url":"https://github.com/metablaster.png","language":"PowerShell","readme":"\r\n# Windows Firewall Ruleset\r\n\r\n![Alt Text][corporate firewall]\r\n\r\n## Table of Contents\r\n\r\n- [Windows Firewall Ruleset](#windows-firewall-ruleset)\r\n  - [Table of Contents](#table-of-contents)\r\n  - [About Windows Firewall Ruleset](#about-windows-firewall-ruleset)\r\n    - [Firewall rules](#firewall-rules)\r\n    - [Firewall framework](#firewall-framework)\r\n  - [The vision of this firewall](#the-vision-of-this-firewall)\r\n  - [License](#license)\r\n  - [Requirements](#requirements)\r\n    - [Requirements details](#requirements-details)\r\n    - [I don't meet the requirements](#i-dont-meet-the-requirements)\r\n  - [First time user](#first-time-user)\r\n    - [Warning](#warning)\r\n    - [Note](#note)\r\n    - [Quick start](#quick-start)\r\n  - [Firewall management](#firewall-management)\r\n    - [Automated and interactive firewall deployment](#automated-and-interactive-firewall-deployment)\r\n    - [Manage GPO rules](#manage-gpo-rules)\r\n    - [Deploying individual rulesets](#deploying-individual-rulesets)\r\n    - [Deleting rules](#deleting-rules)\r\n    - [Export/Import rules](#exportimport-rules)\r\n  - [Remote firewall deployment](#remote-firewall-deployment)\r\n  - [Support, updates and documentation](#support-updates-and-documentation)\r\n  - [The future](#the-future)\r\n\r\n## About Windows Firewall Ruleset\r\n\r\n[![Alpha release][badge status]][alpha]\r\n\r\nA fully automated solution for Windows firewall with PowerShell\r\n\r\n`Windows Firewall Ruleset` configures Windows firewall automatically and applies restrictive\r\nfirewall rules specific for target system and software installed on the system.\r\n\r\nStatus of this project is still alpha, click on \"status\" badge above to learn more.\\\r\nThis project consists of two major parts, firewall rules and firewall framework as follows:\r\n\r\n### Firewall rules\r\n\r\nWindows firewall rules sorted into individual PowerShell scripts according to:\r\n\r\n- Rule group\r\n- Traffic direction (ex. inbound, outbound or IPSec)\r\n- Software type and publisher\r\n- IP version (IPv4 / IPv6)\r\n\r\nSuch as for example:\r\n\r\n- ICMP traffic\r\n- Browser rules\r\n- Built in OS software\r\n- Store apps\r\n- Windows services\r\n- Multiplayer Games\r\n- Microsoft programs\r\n- 3rd party programs\r\n- broadcast traffic\r\n- multicast traffic\r\n\r\n### Firewall framework\r\n\r\n- Firewall framework consists of a number of PowerShell modules, scripts and documentation used to\r\ngather environment information relevant to build and deploy firewall specialized for target system\r\nsuch as:\r\n\r\n  - Computers on network\r\n  - Installed programs\r\n  - IP subnet math\r\n  - Remote or local system users\r\n  - Network configuration\r\n  - GPO configuration\r\n  - Firewall management\r\n  - Quick analysis of packet trace and audit logs\r\n  - Various troubleshooting, firewall, system and network utility functions\r\n\r\n- Thus this repository is a good starting point to easily extend your firewall to include more rules\r\nand functionalities as desired.\r\n- Currently there are some 800+ firewall rules, 10+ modules with 100+ functions, several scripts\r\nand a good portion of useful documentation.\r\n- You can interactively choose which rules you want, and deploy only those or you could automate the\r\nprocess and deploy all the necessary rules and settings to your firewall.\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n## The vision of this firewall\r\n\r\n[![Managed in VSCode][badge vscode]][vscode]\r\n[![PowerShell][badge language]][powershell]\r\n\r\n1. Detailed firewall configuration is time consuming process, takes a lot of troubleshooting,\r\nchanges require testing and security auditing and it only gets worse if you need to deploy firewall\r\nto hundreds or thousands of remote computers, for example not all computers might have same software\r\nor restriction requirements.\r\n\r\n2. Unlike firewall rules in control panel, these rules are loaded into GPO firewall\r\n(Local Group Policy), meaning system settings changes or random programs which install rules as\r\npart of their installation process will have no effect on firewall unless you explicitly make an\r\nexception.\r\n\r\n3. Rules based on programs and services will have their specified executable file checked for\r\ndigital signature and will be scanned on VirusTotal if digital signature is missing,\r\nfor security reasons rule is not created or loaded into firewall if this verification fails.\r\n(can be forced)\r\n\r\n4. Default outbound is \"block\" unless there is a rule to allow network traffic, in most firewalls\r\nthis is not possible unless you maintain rules for every possible program or service,\r\nthanks to this collection of rules, setting default outbound to block requires very little or no\r\nadditional work.\r\n\r\n5. Unlike in usual scenario, you will know which rules no longer have an effect or are redundant\r\ndue to ex. uninstalled program, a missing system service which no longer exists, renamed\r\nexecutable after Windows update and similar reasons.\r\n\r\n6. Unlike predefined Windows firewall rules, these rules are more restrictive such as,\r\ntied to explicit user accounts, rules apply to specific ports, network interfaces, specific\r\nexecutables, services etc. all of which is learned automatically from target system.\r\n\r\n7. Updating, filtering or searching rules and attributes such as ports, addresses and similar is\r\nmuch easier since these rules are in scripts, you can use editor tools such as [regex](/docs/Regex.md),\r\n[multicursor][multicursor] or `CTRL + F` to perform bulk operations on your rules, doing this in\r\nany firewall UI is not possible due to user interface limitations.\r\n\r\n8. A good portion of code is dedicated to provide automated solution to build and define firewall\r\nspecialized for target system and users, minimizing the need to do something manually thus saving\r\nyou much valuable administration time.\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n## License\r\n\r\n[![MIT license][badge license]](/LICENSE \"View license\")\r\n\r\nThis project `Windows Firewall Ruleset` is licensed under the `MIT` license.\r\n\r\nSome scripts, files or modules are not `MIT` licensed or may have their own Copyright holders\r\nfor this reason license and Copyright notices are maintained **\"per file\"**.\r\n\r\n## Requirements\r\n\r\n[![Windows][badge system]][windows]\r\n\r\nThe following table lists operating systems on which `Windows Firewall Ruleset` has been tested\r\n\r\n| OS                  | Edition       | Version     | Architecture |\r\n| ------------------- | ------------- | ----------- | ------------ |\r\n| Windows 10          | Pro           | 1809 - 22H2 | x64          |\r\n| Windows 10          | Pro Education | 20H2        | x64          |\r\n| Windows 10          | Enterprise    | 1809 - 20H2 | x64          |\r\n| Windows 10          | Education     | 20H2 - 22H2 | x64          |\r\n| Windows 11          | Pro Education | 21H2        | x64          |\r\n| Windows 11          | Pro           | 22H2 - 23H2 | x64          |\r\n| Windows 11          | Enterprise    | 22H2        | x64          |\r\n| Windows Server 2019 | Essentials    | 1809        | x64          |\r\n| Windows Server 2019 | Standard      | 1809        | x64          |\r\n| Windows Server 2019 | Datacenter    | 1809        | x64          |\r\n| Windows Server 2022 | Standard      | 21H2        | x64          |\r\n| Windows Server 2022 | Datacenter    | 21H2        | x64          |\r\n\r\n***\r\n\r\n1. Windows PowerShell 5.1 or PowerShell Core 7.3.x [Download PowerShell Core][download core]\r\n2. .NET Framework 4.5 (Windows PowerShell only) [Download Net Framework][download .net]\r\n3. `sigcheck64.exe` (Highly recommended) [Download sigcheck][sigcheck]\r\n4. Git (Optional) [Download Git][download git]\r\n5. Visual Studio Code (Recommended) [Download VSCode][vscode]\r\n6. PowerShell Support for VSCode (Recommended) [Download extension][download powershell extension]\r\n7. PSScriptAnalyzer (Recommended) [Download PSScriptAnalyzer][module psscriptanalyzer]\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n### Requirements details\r\n\r\n- All Windows 10.0 systems (Major 10, Minor 0) and above except `Home` editions are supported,\r\nbut only those editions listed in the table above have been tested.\\\r\nThe \"Version\" column lists tested releases, however only latest OS builds continue to be tested.\\\r\nA list of other untested but supported systems and features is in [The future](#the-future)\r\n\r\n- `PowerShell Core` is not built into Windows, you will need to install it separately or use\r\n[Windows PowerShell](/docs/WindowsPowerShell.md) which is part of operating system.\r\n\r\n- `.NET Framework` min. version 4.5 is required if using Windows PowerShell (Desktop edition)\r\ninstead of PowerShell Core.\\\r\nWindows 10 ships with min .NET 4.6 (which includes .NET 4.5), and Windows 11 ships with min .NET 4.8\r\n\r\n- `sigcheck64.exe` (or 32 bit `sigcheck.exe`) is a digital signature verification tool which you can\r\ndownload from Microsoft site and should be placed either into `C:\\tools` directory or to `%PATH%`\r\nenvironment variable.\\\r\n`Windows Firewall Ruleset` will use it to perform hash based online malware analysis on VirusTotal\r\nfor every executable that is not digitally signed before a firewall rule is made for that executable.\\\r\nThis is only a recommendation, if there is no `sigcheck64.exe` in `PATH` you're offered to download\r\nit and if you decline no malware analysis is made.\\\r\nBy using this functionality you're agree to [VirusTotal Terms of Service][virustotal terms],\r\n[VirusTotal Privacy Policy][virustotal privacy] and [Sysinternals Software License Terms][sysinternals terms]\r\n\r\n- You might want to have git to check out for updates,\r\nto easily switch between branches or to contribute code.\r\n\r\n- VS Code is preferred and recommended editor to navigate code and or to edit scripts for your\r\nown needs or contribution.\r\n\r\n- If you get VSCode, you'll also need PowerShell extension for code navigation and PowerShell\r\nlanguage features.\r\n\r\n- To navigate and edit code with VSCode `PSScriptAnalyzer` is highly recommended, otherwise editing\r\nexperience may behave odd due to various repository settings.\r\n\r\n- There are no hardware requirements, but if you plan to write and debug code recommendation is min.\r\n8GB of memory and SSD drive to comfortably work on project, otherwise to just deploy rules to your\r\npersonal firewall less than that will work just fine.\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n### I don't meet the requirements\r\n\r\nAt the moment this firewall is tested and designed for most recent Windows Desktop/Servers and that\r\nis known to work, to make use of it on older systems requires additional work.\r\n\r\nTesting is done on 64 bit Windows, a small fraction of rules won't work for 32 bit system and\r\nneed adjustment, full functionality for 32 bit system is work in progress.\\\r\nFor now you can load rules on 32 bit system just fine with the exception of few rules probably not\r\nrelevant at all for your configuration.\r\n\r\nFor information on how to make use of this firewall on older Windows systems such as Windows 7 or\r\nWindows Server 2008 see [Legacy Support](/docs/LegacySupport.md)\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n## First time user\r\n\r\nThe following are brief warnings and notices first time user should be aware of before deploying firewall\r\n\r\n### Warning\r\n\r\n- You might loose internet connectivity for some of your programs or in rare cases even lose\r\ninternet connectivity completely, if that happens, you can either temporarily allow outbound network\r\nin GPO or run\\\r\n`.\\Scripts\\Reset-Firewall.ps1 -Remoting -Service`, to reset GPO firewall to system defaults,\r\nremove all rules and restore WinRM and modified services to system defaults.\r\n(afterwards PowerShell restart is required)\r\n\r\n- Inside `docs` directory there is a `ResetFirewall.md`, a guide on how to do it manually, by hand,\r\nif for some reason you're unable to run the script, or the script doesn't solve your problems.\r\n\r\n- Your existing rules will not be deleted unless you have rules in GPO with exact same group names\r\nas rules from this ruleset, however **this does not apply to** `Scripts\\Reset-Firewall.ps1` which\r\nwill clear GPO rules completely and leave only those in control panel.\r\n\r\n- If you want to be 100% sure please export your GPO rules as explained in\r\n[Export\\Import rules](#exportimport-rules)\r\n\r\n- You will be asked which rules to load (if you select interactive deployment, see later),\r\nto minimize internet connectivity trouble you should deploy at least all generic networking and OS\r\nrelated rules called \"CoreNetworking\", \"ICMP\", \"WindowsSystem\", \"WindowsServices\", \"Multicast\"\r\nincluding all rules for which you have programs installed on system, also do not ignore IPv6,\r\nWindows needs IPv6 even if you're on IPv4 network.\\\r\nIt will be easy to delete what you don't need in GPO, rather than later digging through code finding\r\nwhat you have missed.\r\n\r\n- Default configuration will set global firewall behavior which is not configurable in GPO,\r\nsuch as `Stateful FTP` and `PPTP` or global `IPSec` settings, if you need specific setup please\r\nvisit `Scripts\\Complete-Firewall.ps1` and take a look at `Set-NetFirewallSetting`.\\\r\nNote that `Scripts\\Complete-Firewall.ps1` is automatically called by `Scripts\\Deploy-Firewall.ps1`\r\n\r\n- Some scripts require you (network adapter) to be connected to network, for example to determine\r\nIPv4 broadcast address. (Otherwise errors may be generated)\r\n\r\n- Everything on system should be up to date because otherwise some rules may be skipped or incorrect,\r\nthis includes windows updates, Microsoft store apps and all other software.\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n### Note\r\n\r\n- Loading rules into an empty GPO should be very fast, however loading into GPO which already\r\ncontains rules will be significantly slower (depends on number of existing rules in GPO)\r\n\r\n- All errors and warnings will be saved to `Logs` directory, you can review these logs later if you\r\nwhish to fix some problem, most warnings and even some errors can be safely ignored, in certain cases\r\nyou might want to resolve errors if possible.\r\n\r\n- Any rule that results in \"Access is denied\" while loading should be reloaded by executing specific\r\nscript again, see [FAQ](/docs/FAQ.md) for more information on why this may happen.\r\n\r\n- If the repository was manually downloaded, transferred from another computer or media then you should\\\r\nunblock all files in repository first to avoid YES/NO spam questions for every executing script,\r\nby running `Scripts\\Unblock-Project.ps1`\\\r\nMaster script `Scripts\\Deploy-Firewall.ps1` does this in case if you forget, but initial YES/NO\r\nquestions will still be present in that case.\r\n\r\n- If you have \"Ransomware protection\" enabled (in Windows Defender),\r\nmake sure to whitelist either `pwsh.exe` (Core edition) or `powershell.exe` (Desktop edition)\r\nor both, otherwise errors happens in develop mode during installation of modules.\\\r\nIf Repository code is downloaded to a folder under ransomware protection anything may be blocked.\\\r\nPowerShell console might need to be restarted for \"Controlled folder access\" changes to take effect.\r\n\r\n- By default rules are made for `Users` group while for `Administrators` group only if necessary,\r\nrecommendation is to have standard user account which you use for every day computing for security\r\nreasons.\\\r\nIf you're Administrator and are not willing to create standard account on your computer you'll have\r\nto modify `DefaultGroup` variable in `Config\\ProjectSettings.ps1` and specify `Administrators`.\r\n\r\n  See [SecurityAndPrivacy.md](/docs/SecurityAndPrivacy.md#standard-user-account) for more\r\n  information why using Administrator account is not recommended for security reasons.\\\r\n  Your administrative account used to deploy firewall must have a password set.\r\n\r\n- Software or Windows updates may rename executables or their locations, also user accounts may be\r\nrenamed by Administrator, therefore it's important to reload specific rules from time to time as\r\nneeded to update firewall for system changes that may happen at any time.\r\nThis behavior is called [Software regression][regression]\r\n\r\n- Before deploying firewall it is recommended to update system and user programs on target computer\r\nincluding Windows store apps, especially if system is fresh installed because updating later may\r\nrequire to reload some rules.\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n### Quick start\r\n\r\n1. If you don't have ssh keys and other setup required to clone via SSH then either clone with HTTPS\r\nor just download released zip file from [Releases][releases], and then for the latest\r\nrelease under \"assets\" download zip file.\\\r\nThese steps here assume you have downloaded a zip file from \"assets\" section under \"Releases\".\r\n\r\n2. Extract downloaded archive somewhere, these steps assume you've extracted the zip file\r\n(repository root directory) into `C:\\` root drive directly.\r\n\r\n3. If you would like to use Windows PowerShell, see [How to open Windows PowerShell](WindowsPowerShell.md)\r\nOtherwise the procedure for both PowerShell Core and Windows PowerShell is similar:\\\r\nOpen up extracted folder, right click into an empty space and there is an option to run\r\nPowerShell Core as Administrator (Assumes you enabled context menu during installment of PowerShell\r\nCore) if not open it manually.\r\n\r\n4. If you don't have PowerShell context menu then move to `C:\\` root drive by executing the\r\nfollowing two lines (type or copy/paste the commands and hit enter for each),\r\nthis is where you extracted your downloaded zip file\r\n\r\n    ```powershell\r\n    c:\r\n    cd \\\r\n    ```\r\n\r\n5. cd into downloaded folder:\r\n\r\n    ```powershell\r\n    cd WindowsFirewallRuleset*\r\n    ```\r\n\r\n6. To see current execution policy type the following command and hit enter:\\\r\n(**hint:** *you can use `TAB` key to auto complete as you type*)\r\n\r\n    ```powershell\r\n    Get-ExecutionPolicy\r\n    ```\r\n\r\n    Remember the output of the above command, note that PowerShell Core defaults to\r\n    `RemoteSigned` while Windows PowerShell defaults to `Restricted` on non server editions.\r\n\r\n7. Set execution policy to unrestricted to be able to unblock project files,\r\n(Note that `RemoteSigned` will work only once scripts are unblocked)\r\n\r\n    ```powershell\r\n    Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted\r\n    ```\r\n\r\n    You may be prompted to accept execution policy change, if so type `Y` and press enter to accept.\\\r\n    For more information see [About Execution Policies][about execution policies]\r\n\r\n8. At this point you should \"unblock\" all repository files first by executing a script called\\\r\n`Scripts\\Unblock-Project.ps1`, btw. repository files were blocked by Windows to prevent users from\r\nrunning untrusted script code downloaded from internet:\r\n\r\n    ```powershell\r\n    .\\Scripts\\Unblock-Project.ps1\r\n    ```\r\n\r\n    If asked, make sure your answer is `R` that is `[R] Run once` as many times as needed to unblock\r\n    project. (approx. up to 8 times)\r\n\r\n9. Once repository files are unblocked change execution policy to `RemoteSigned`:\r\n\r\n    ```powershell\r\n    Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned\r\n    ```\r\n\r\n    You may be again prompted to accept execution policy change, type `Y` and press enter to accept.\r\n\r\n10. Rules for programs such as your web browser, games etc. depend on installation variables.\\\r\nMost paths are auto-searched and variables are updated transparently, otherwise you get warning and\r\ndescription on how to fix the problem.\\\r\nIf needed, you can find these installation variables in individual scripts inside `Rules` directory.\\\r\nIt is recommended to close down all `MMC` management consoles such as `gpedit.msc` or `secpol.msc`\r\nbefore running master script in the next step.\r\n\r\n11. Back to PowerShell console and run one of the two `Deploy-Firewall` commands below:\r\n\r\n    To deploy firewall automatically  with as few prompts as possible run:\r\n\r\n    ```powershell\r\n    .\\Scripts\\Deploy-Firewall.ps1 -Force\r\n    ```\r\n\r\n    Otherwise to be interactively prompted which rules to load run:\r\n\r\n    ```powershell\r\n    .\\Scripts\\Deploy-Firewall.ps1\r\n    ```\r\n\r\n    Hit enter and you'll be asked questions such as what kind of rulesets you want.\\\r\n    If you need help to decide whether to run some ruleset or not, type `?` when prompted to run\r\n    ruleset and press enter to get more info.\\\r\n    If for what ever reason you want to interrupt and abort deployment (ex. to start a new) press\r\n    `CTRL + C` on your keyboard while PowerShell is in focus and restart PowerShell console.\r\n\r\n12. Follow prompt output, (ex. hit enter to accept default action),\r\nit will take some 15 minutes of your attention.\r\n\r\n    **NOTE:** If Administrator account is using Microsoft account to log in to computer you will be\r\n    asked for credentials, which needs to be Microsoft email and password regardless if you're\r\n    using Windows hello or not, specifying PIN ie. will not work and other Windows hello\r\n    authentication methods are not supported.\r\n\r\n    If invalid credentials are supplied you'll get an error saying `Access is denied`.\\\r\n    If this happens you'll need to restart PowerShell console and try again.\r\n\r\n    For more information why this is necessary see [FAQ](/docs/FAQ.md#why-do-i-need-to-specify-my-microsoft-account-credentials)\r\n\r\n13. If you encounter errors, you can either ignore errors or update script that produced the error\r\nthen rerun that specific script once again later.\r\n\r\n14. When done you might want to adjust some of the rules in Local Group Policy,\r\nnot all rules are enabled by default or you might want to toggle default Allow/Block behavior.\\\r\nRules may not cover all programs installed on your system, in which case missing rules need to be\r\nmade.\r\n\r\n15. Now go ahead and test your internet connection (ex. with a web browser or some other program),\r\nIf you're unable to connect to internet after deploying these rules you have several options:\r\n\r\n    - Temporarily open outbound firewall in GPO or [Disable Firewall](/docs/DisableFirewall.md)\r\n    - Troubleshoot problems: [Network troubleshooting detailed guide](/docs/NetworkTroubleshooting.md)\r\n    - You can [Reset Firewall to previous state](/docs/ResetFirewall.md)\r\n    - Take a look into `docs` directory for more troubleshooting options and documentation\r\n\r\n16. As a prerequisite to deploy firewall, some system services have been started and set to\r\nautomatic start, inside `Logs` directory you'll find `Services_\u003cDATE\u003e.log` to help you restore these\r\nservices to default if desired.\\\r\nFor example `Windows Remote Management` service should not run if not needed\r\n(the default is \"Manual\" startup)\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n## Firewall management\r\n\r\nThe following section gives some hints to manage firewall with ease\r\n\r\n### Automated and interactive firewall deployment\r\n\r\n`Deploy-Firewall.ps1` script supports several parameters to let you customize deployment automation\r\nas follows:\r\n\r\n- To automatically run all rules without prompt and concise output but only for programs which exist\r\non system run:\r\n\r\n```powershell\r\n.\\Scripts\\Deploy-Firewall.ps1 -Force -Quiet\r\n```\r\n\r\n- To go step by step and be prompted for confirmation on which rulesets to load\r\nand to attempt to resolve issues on the fly run:\r\n\r\n```powershell\r\n.\\Scripts\\Deploy-Firewall.ps1 -Interactive\r\n```\r\n\r\n- To be prompted only for ruleset selection run `Deploy-Firewall` without any parameters:\r\n\r\n```powershell\r\n.\\Scripts\\Deploy-Firewall.ps1\r\n```\r\n\r\nTo learn the meaning of parmaters to be able to combine them on your own see `Deploy-Firewall.ps1`\r\nscript comment or run the following command:\r\n\r\n```powershell\r\nGet-Help .\\Scripts\\Deploy-Firewall.ps1 -Detailed\r\n```\r\n\r\n### Manage GPO rules\r\n\r\nThere are two mothods to manage GPO rules:\r\n\r\n1. Using Local Group Policy, this method gives you limited freedom on what you can do with rules\r\nfrom this repository, such as disabling them, changing some attributes or adding new rules.\\\r\nFor more information see: [Manage GPO Firewall](/docs/ManageGPOFirewall.md)\r\n\r\n2. Editing PowerShell scripts, this method gives you full control, you can change or remove existing\r\nrules with no restriction or add new ones.\r\n\r\nWhat ever your plan or setup is, you will surely want to perform additional work such as customizing\r\nrules, or adding new rules for programs not yet covered by this firewall.\r\n\r\nRules are loaded into local group policy, if during firewall setup you accepted creating a shortcut\r\nto personalized firewall management console you can run the schortcut, otherwise follow steps\r\nmentioned in [Manage GPO Firewall](/docs/ManageGPOFirewall.md)\r\n\r\nFor more information about GPO see:\r\n[Configure security policy settings][configure security policy settings]\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n### Deploying individual rulesets\r\n\r\nIf you want to deploy only specific rules there are two ways to do this:\r\n\r\n1. Execute `Scripts\\Deploy-Firewall.ps1` and chose `Yes` only for rulesets you want, otherwise chose\r\n`No` and hit enter to skip current ruleset.\r\n\r\n2. In PowerShell console navigate `cd` to directory containing ruleset script you want and execute\r\nindividual script.\\\r\nFor example `cd .\\Rules\\IPv4\\Outbound\\Software` followed by `.\\Adobe.ps1` to load rules for Adobe.\r\n\r\nYou might want to run `Scripts\\Complete-Firewall.ps1` afterwards to apply default firewall behavior\r\nif it's not already set, or you can do it manually in GPO but with limited power.\r\n\"limited power\" means `Scripts\\Complete-Firewall.ps1` configures some firewall parameters which\r\ncan't be adjusted in firewall GUI.\r\n\r\nIn both cases all rules that match ruleset group, `DisplayGroup`, will be deleted before loading\r\nrules into GPO.\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n### Deleting rules\r\n\r\nAt the moment there are three options to delete firewall rules:\r\n\r\n1. The easiest way is to select all rules you want to delete in GPO, right click and delete.\r\n\r\n2. To delete rules according to file there is a function for this purpose, located in:\\\r\n`Modules\\Ruleset.Firewall\\Public\\Remove-FirewallRule.ps1`\\\r\nhowever you first need to export firewall to file before using it.\r\n\r\n3. To revert to your old firewall state (the one in control panel), you'll need to delete all\r\nrules from GPO, and set all properties to `Not configured` after right click on node:\\\r\n`Windows Defender Firewall with Advanced Security - Local Group Policy Object`\r\n\r\nDeleting all rules or revetting to previous state can also be done with `Scripts\\Reset-Firewall.ps1`\\\r\nNote that you'll also need to re-import your exported GPO rules if you had them.\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n### Export/Import rules\r\n\r\nIf you want to export rules from GPO there are two methods available:\r\n\r\n1. Export in local group policy by clicking on `Export Policy...` menu, after right click on node:\\\r\n`Windows Defender Firewall with Advanced Security - Local Group Policy Object`\r\n\r\n2. To export using PowerShell run `Scripts\\Backup-Firewall.ps1`\\\r\nIf you want to customize your export see `Export-RegistryRule` function located in `Ruleset.Firewall`\r\nmodule, which let's you customize your export in almost any way you want.\r\n\r\nIf you want to import rules, importing by using GPO is same as for export, and to import with\r\nPowerShell just run `Scripts\\Restore-Firewall.ps1` which will pick up your previous export files.\r\n\r\nTo customize your export\\import please take a look into `Modules\\Ruleset.Firewall\\Public`,\r\nwhich is where you'll find description on how to use export\\import module functions.\r\n\r\n**NOTE:** `Export-FirewallRule` function is really slow, you're advised to run `Export-RegistryRule`\r\nfunction instead which is as fast as it can be.\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n## Remote firewall deployment\r\n\r\nThis section and functionality is currently experimental and not fully complete,\r\nat the moment deployment to single remote computer is supported.\r\n\r\n![Under construction](/docs/Screenshots/UnderConstruction.gif)\r\n\r\nIn remote firewall deployment there are at least two computers involved,\\\r\none is called management computer (client) and all others are called managed computers (servers).\r\n\r\nScripts are executed by administrator on management computer, and firewall is then deployed to or\r\nconfigured on multiple server computers simultaneously.\r\n\r\nFor implementation details see `Modules\\Ruleset.Remote` module\r\n\r\n**NOTE:** Remoting functionality is not exclusive to remote firewall deployment, deployment to\r\nlocalhost by design requires working WinRM and PS remoting configuration as well.\r\n\r\nBefore remote deployment can be performed, remote computer (server) needs to be configured to accept\r\nconnection, example on how to establish SSL connection is as follows:\r\n\r\nTo allow execution, configure WinRM service and remote registry on server computer by running:\r\n\r\n**NOTE:** If using PowerShell core omit `-Protocol HTTPS` from `Enable-WinRMServer` below, this will\r\nenable both HTTP and HTTPS which is a temporary workaround for compatibility module to work in\r\nremote session.\r\n\r\n```powershell\r\n# On server computer\r\nSet-ExecutionPolicy -Scope LocalMachine RemoteSigned\r\nSet-Location C:\\Path\\to\\WindowsFirewallRuleset\r\nImport-Module .\\Modules\\Ruleset.Remote\r\nEnable-WinRMServer -Protocol HTTPS -KeepDefault -Confirm:$false\r\nEnable-RemoteRegistry -Confirm:$false\r\n```\r\n\r\nAfter performing these steps, inside `\\Exports` directory you'll find SSL certificate (*.cer) file\r\nwhich needs to be copied to management computer also into `\\Exports` directory.\\\r\nBy default self signed SSL certificate is created if the server computer does not already have one.\r\n\r\n**NOTE:** Configuring server computer manually is performed only once for initial setup,\r\nyou don't need to repeat it for subsequent deployments.\r\n\r\nNext step is to move on to management computer and run scripts as wanted, for example:\r\n\r\n```powershell\r\n# On management computer\r\ncd C:\\Path\\to\\WindowsFirewallRuleset\\Scripts\r\nDeploy-Firewall -Domain \"RemoteComputerName\"\r\n```\r\n\r\nBoth sets of commands above need to be run in same edition of PowerShell, ex. if server was\r\nconfigured in PowerShell Core then client computer also needs PowerShell core for deployment.\\\r\nIf either the server or management computer is a workstation (ex. not Windows server or part of domain)\r\nthen it's network profile must be set to private profile.\r\n\r\nRemote deployment can be customized in a great detail in the following locations:\r\n\r\n- To customize WinRM service see: `Modules\\Ruleset.Remote\\Scripts\\WinRMSettings.ps1`\r\n- To customize WSMan session configuration see: `Modules\\Ruleset.Remote\\Scripts\\*Firewall.pssc`\r\n- To customize self signed SSL certificate see: `Modules\\Ruleset.Remote\\Public\\Register-SslCertificate.ps1`\r\n- To customize PS and CIM session configuration see: `Modules\\Ruleset.Remote\\Scripts\\SessionSettings.ps1`\r\n\r\nFor additional information and troubleshooting tips see also [Remoting help](/docs/Remote.md)\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n## Support, updates and documentation\r\n\r\nFor support, issue reports, suggestions or customization of this repository and methods to\r\nperiodically update this firewall please refer to [SUPPORT.md](SUPPORT.md)\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n## The future\r\n\r\nThe following features are desired and might be available at some point in the future:\r\n\r\n1. Remote firewall administration\r\n\r\n    - Deploying firewall configuration to multiple remote computers on domain or home networks\r\n\r\n2. Comprehensive firewall rulesets for Windows Server editions and dedicated gateway systems.\r\n\r\n3. On demand or scheduled registry scan to validate integrity of active firewall filtering policy\r\nand firewall settings\r\n\r\n    - Any firewall rule or setting in the registry that is not part of this repository is reported\r\n    for review.\r\n    - Because, malware, hackers and even trusted software can attempt to bypass firewall at any time\r\n\r\n4. Full functionality for the following not yet tested editions of Windows 10.0\r\n   - Windows 10 \u0026 11 Pro for Workstations\r\n   - Windows 10 \u0026 11 IoT Core Blast\r\n   - Windows 10 \u0026 11 IoT Enterprise\r\n   - Windows 10 \u0026 11 S\r\n\r\n5. Functionality for x86 systems\r\n\r\n[Table of Contents](#table-of-contents)\r\n\r\n[corporate firewall]: https://bitbucket.org/SuperAAAAA/shack/raw/60508e0e23d73aeb8f9a4fdc75b13ea94e56e62b/corporate.jpg \"Corporate Firewall\"\r\n[download core]: https://github.com/PowerShell/PowerShell \"Download PowerShell Core\"\r\n[download .net]: https://dotnet.microsoft.com/download/dotnet-framework \"Download .NET Framework\"\r\n[download git]: https://git-scm.com/downloads \"Visit Git downloads page\"\r\n[vscode]: https://code.visualstudio.com \"Visit Visual Studio Code home page\"\r\n[download powershell extension]: https://marketplace.visualstudio.com/items?itemName=ms-vscode.PowerShell \"Visit Marketplace\"\r\n[module psscriptanalyzer]: https://github.com/PowerShell/PSScriptAnalyzer \"Visit PSScriptAnalyzer repository\"\r\n[about execution policies]: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies \"About Execution Policies\"\r\n[configure security policy settings]: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/how-to-configure-security-policy-settings \"Configure Security Policy Settings\"\r\n[releases]: https://github.com/metablaster/WindowsFirewallRuleset/releases \"Visit releases page now\"\r\n[powershell]: https://docs.microsoft.com/en-us/powershell/scripting/overview \"What is PowerShell anyway?\"\r\n[windows]: https://learn.microsoft.com/en-us/windows/resources \"Visit Windows client documentation for IT Pros\"\r\n[alpha]: https://en.wikipedia.org/wiki/Software_release_life_cycle#Alpha \"What is alpha software? - Wikipedia\"\r\n[badge status]: https://img.shields.io/static/v1?label=Status\u0026message=Alpha\u0026color=red\u0026style=plastic\r\n[badge system]: https://img.shields.io/static/v1?label=OS\u0026message=Windows\u0026color=informational\u0026style=plastic\u0026logo=Windows\r\n[badge language]: https://img.shields.io/static/v1?label=Language\u0026message=PowerShell\u0026color=informational\u0026style=plastic\u0026logo=PowerShell\r\n[badge vscode]: https://img.shields.io/static/v1?label=Managed%20in\u0026message=VSCode\u0026color=informational\u0026style=plastic\u0026logo=Visual-Studio-Code\r\n[regression]: https://en.wikipedia.org/wiki/Software_regression \"What is software regresssion?\"\r\n[sigcheck]: https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck \"Download sigcheck from Microsoft\"\r\n[multicursor]: https://code.visualstudio.com/Docs/editor/codebasics#_multiple-selections-multicursor \"Visit VSCode documentation\"\r\n[virustotal terms]: https://support.virustotal.com/hc/en-us/articles/115002145529-Terms-of-Service \"Visit VirusTotal site\"\r\n[virustotal privacy]: https://support.virustotal.com/hc/en-us/articles/115002168385-Privacy-Policy \"Visit VirusTotal site\"\r\n\u003c!-- unused link or image reference false positive--\u003e\r\n\u003c!-- markdownlint-disable MD053 --\u003e\r\n[badge license]: https://img.shields.io/static/v1?label=License\u0026message=MIT\u0026color=success\u0026style=plastic\r\n\u003c!-- markdownlint-enable MD053 --\u003e\r\n[sysinternals terms]: https://learn.microsoft.com/en-us/sysinternals/license-terms \"Visit Microsoft site\"\r\n","funding_links":["https://paypal.me/metablaster"],"categories":["PowerShell"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmetablaster%2FWindowsFirewallRuleset","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmetablaster%2FWindowsFirewallRuleset","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmetablaster%2FWindowsFirewallRuleset/lists"}