1 00:00:01,140 --> 00:00:02,240 In this demonstration, 2 00:00:02,240 --> 00:00:06,060 we're going to ensure your familiarity with Defender Firewall, 3 00:00:06,060 --> 00:00:09,230 both configuring it on a server‑by‑server basis, as 4 00:00:09,230 --> 00:00:11,820 well as centrally in Group Policy. 5 00:00:11,820 --> 00:00:15,850 So here we are on a Windows Server 2022 box, and I want to start 6 00:00:15,850 --> 00:00:19,040 by opening up Start and looking for firewall. 7 00:00:19,040 --> 00:00:23,440 Let's review the different ways we can manage this application. 8 00:00:23,440 --> 00:00:27,600 We can go to Windows Defender Firewall specifically. That 9 00:00:27,600 --> 00:00:29,990 brings up the old‑fashioned Control Panel. 10 00:00:29,990 --> 00:00:34,410 Let me go back to Start and type firewall again. There's also Firewall & 11 00:00:34,410 --> 00:00:38,190 network protection that's part of the Settings pane. Personally, 12 00:00:38,190 --> 00:00:40,950 I'm not a really big fan of the Settings application 13 00:00:40,950 --> 00:00:43,840 across the board, so I'm just going to dismiss that 14 00:00:43,840 --> 00:00:46,940 window and pretend it doesn't exist. 15 00:00:46,940 --> 00:00:51,420 So the UI here looks virtually identical between Windows Server 16 00:00:51,420 --> 00:00:55,410 and Windows Client. Number one, we've got our controls, which are 17 00:00:55,410 --> 00:00:57,700 all governed by User Access Controls. 18 00:00:57,700 --> 00:01:01,710 So by definition, a standard non‑administrative user on a 19 00:01:01,710 --> 00:01:04,340 workstation would not be able to adjust these. 20 00:01:04,340 --> 00:01:07,810 You'll note that for all three location profiles, 21 00:01:07,810 --> 00:01:11,140 I've got Defender turned off. Well, that's not good. 22 00:01:11,140 --> 00:01:15,340 So we can easily remediate that just by flipping these switches, 23 00:01:15,340 --> 00:01:19,250 turning it to On. And as we can see on the home page in the Defender 24 00:01:19,250 --> 00:01:23,870 Firewall Control Panel because I'm on a domain‑joined machine, the domain 25 00:01:23,870 --> 00:01:27,040 profile is the active one at this point in time. 26 00:01:27,040 --> 00:01:30,860 Okay, now you might have noticed that when I opened Start and looked 27 00:01:30,860 --> 00:01:35,440 for firewall, we also have the Windows Defender Firewall with Advanced 28 00:01:35,440 --> 00:01:38,640 Security Microsoft Management Console. 29 00:01:38,640 --> 00:01:43,180 And this kind of leads us over into centralized management of Defender 30 00:01:43,180 --> 00:01:47,230 Firewall for your Windows Server and Windows Client machines. We've got on 31 00:01:47,230 --> 00:01:52,340 the main node here this overview where we can click to get into a modified 32 00:01:52,340 --> 00:01:54,780 version of the Firewall control panel. 33 00:01:54,780 --> 00:01:58,040 It's kind of inscrutable to me, honestly, 34 00:01:58,040 --> 00:02:01,770 why there are so many UIs for Windows Defender Firewall. 35 00:02:01,770 --> 00:02:04,220 You ever notice that? And as a matter of fact, 36 00:02:04,220 --> 00:02:06,990 if I bring up the service control manager here, 37 00:02:06,990 --> 00:02:11,610 I want you to understand that Windows Defender Firewall does run as a Windows 38 00:02:11,610 --> 00:02:16,240 service, and it runs under Local Service security context. 39 00:02:16,240 --> 00:02:20,180 When you've onboarded your server into other of the 40 00:02:20,180 --> 00:02:22,560 Microsoft Defender Cloud services, 41 00:02:22,560 --> 00:02:25,610 there may be additional services that come online here. 42 00:02:25,610 --> 00:02:30,970 I've got this machine enrolled with Microsoft Defender Endpoint protection. 43 00:02:30,970 --> 00:02:34,540 So there's an Advanced Threat Protection service here running as well. 44 00:02:34,540 --> 00:02:37,440 But the main one I want to draw your attention to is the 45 00:02:37,440 --> 00:02:40,240 Windows Defender Firewall service. 46 00:02:40,240 --> 00:02:44,340 So what else do we need to know about this for the AZ‑801 exam? 47 00:02:44,340 --> 00:02:47,570 Well, we need to understand the basics of creating rules. 48 00:02:47,570 --> 00:02:51,340 So first of all, I want you to see we've got Inbound and Outbound Rules 49 00:02:51,340 --> 00:02:56,110 specifically, and there's a huge library of pre‑built rules that come out 50 00:02:56,110 --> 00:03:01,270 of the box in Windows, others that get brought in here as you load server 51 00:03:01,270 --> 00:03:03,830 roles and features onto a machine. 52 00:03:03,830 --> 00:03:08,040 As you can see here, there's a number of Active Directory Domain Services. 53 00:03:08,040 --> 00:03:11,840 Why do we care about all these built‑in rules? Well, we want to make sure 54 00:03:11,840 --> 00:03:14,600 that as we're configuring our Windows Server boxes, 55 00:03:14,600 --> 00:03:16,780 we're not creating a denial of service. 56 00:03:16,780 --> 00:03:20,620 We want to keep the firewall on in order to protect the machine at the 57 00:03:20,620 --> 00:03:25,870 network layer, but we need to create these exceptions, these allow rules to 58 00:03:25,870 --> 00:03:28,820 allow our line of business traffic to actually work. 59 00:03:28,820 --> 00:03:33,440 So let's right‑click on Inbound Rules, and let's go to New Rule, and 60 00:03:33,440 --> 00:03:36,730 let me familiarize you with the Inbound Rule Wizard. 61 00:03:36,730 --> 00:03:38,560 Hopefully, you already are familiar, 62 00:03:38,560 --> 00:03:42,710 but if not here we go. Notice that we've got Program, Port, 63 00:03:42,710 --> 00:03:47,070 Predefined, and Custom. First, I want to show Predefined, and these 64 00:03:47,070 --> 00:03:51,390 are almost all in Windows Server aligned to different server roles, 65 00:03:51,390 --> 00:03:55,740 like DFS and file services, BranchCache, 66 00:03:55,740 --> 00:04:00,720 DNS, Remote Desktop, Remote Management, firewall, 67 00:04:00,720 --> 00:04:02,240 that kind of stuff. 68 00:04:02,240 --> 00:04:07,710 And those entries allow you to easily create exceptions for services if those 69 00:04:07,710 --> 00:04:11,860 rules aren't auto created by the service. If we go to Port, 70 00:04:11,860 --> 00:04:15,440 this would be a common one that I have seen. When you have 71 00:04:15,440 --> 00:04:20,060 specific TCP or UDP exceptions that you want to make, as you can 72 00:04:20,060 --> 00:04:24,800 see here, so I could say this is TCP and is this going to apply 73 00:04:24,800 --> 00:04:28,420 to local ports or all ports? 74 00:04:28,420 --> 00:04:32,590 I'm going to say All local ports. And then we can decide are we going to 75 00:04:32,590 --> 00:04:36,880 allow, are we going to block, or notice this third option, allow the 76 00:04:36,880 --> 00:04:41,430 connection if it's secure? So this is an example of connection security 77 00:04:41,430 --> 00:04:46,140 rules where we're bringing in IPsec to add authentication and possibly 78 00:04:46,140 --> 00:04:48,740 encryption to that communication. 79 00:04:48,740 --> 00:04:53,040 All right, let me right‑click, go to New Rule again. 80 00:04:53,040 --> 00:04:56,570 Lastly, let me come down to Custom. And this one is where I 81 00:04:56,570 --> 00:05:00,310 normally go because the Custom path gives you control over 82 00:05:00,310 --> 00:05:02,000 all of the preceding templates. 83 00:05:02,000 --> 00:05:02,610 In other words, 84 00:05:02,610 --> 00:05:07,800 we can apply the rule only to specific executables, as you can see, specific 85 00:05:07,800 --> 00:05:13,530 services, and then we can choose right down to not just the port and the 86 00:05:13,530 --> 00:05:17,130 number, but we can choose protocols and message types. 87 00:05:17,130 --> 00:05:21,390 Here's a common one that I use in industry and that would be ICMP, 88 00:05:21,390 --> 00:05:25,080 the Internet Control Message Protocol, v4. And then we could 89 00:05:25,080 --> 00:05:28,840 even go further and say we want to create an allowance for 90 00:05:28,840 --> 00:05:33,140 specific ICMP types like Echo Request. 91 00:05:33,140 --> 00:05:37,050 This is what you would want to do to allow ping into the server. 92 00:05:37,050 --> 00:05:40,350 Now there's probably a predefined rule that makes it easier. 93 00:05:40,350 --> 00:05:43,900 This is kind of the long way around, but you see where I'm going here. 94 00:05:43,900 --> 00:05:47,940 I just want to outline the UI and some of the possibilities. The 95 00:05:47,940 --> 00:05:52,060 Defenders Firewall is pretty useful in that regard of you being able 96 00:05:52,060 --> 00:05:57,370 to quite granularly define these rules. In this case, in the Custom 97 00:05:57,370 --> 00:06:01,720 path for creating an inbound rule, we can specify what addresses does 98 00:06:01,720 --> 00:06:03,540 this rule apply to. 99 00:06:03,540 --> 00:06:07,920 So we've got Any IP address on this machine, let's say, or we could go 100 00:06:07,920 --> 00:06:12,620 to the interface level and maybe only wireless, maybe only wired. Which 101 00:06:12,620 --> 00:06:16,340 remote IP addresses does this apply to? 102 00:06:16,340 --> 00:06:20,300 Once again, we come down to our rule. Is this going to be an Allow, a Block, 103 00:06:20,300 --> 00:06:26,200 or are we going to do an IPsec policy? In which case, as I already mentioned 104 00:06:26,200 --> 00:06:28,610 earlier in the theory part of this lesson, 105 00:06:28,610 --> 00:06:35,740 you can do authentication, you can do integrity, and you also can do encryption. 106 00:06:35,740 --> 00:06:39,890 This would be the authentication header and encapsulating security 107 00:06:39,890 --> 00:06:44,200 payload IPsec protocol, specifically. All right, 108 00:06:44,200 --> 00:06:48,330 so those are some of the basic mechanics of working with rule 109 00:06:48,330 --> 00:06:51,240 definitions. And then as you can see here, 110 00:06:51,240 --> 00:06:53,820 let's just pick on a particular rule here. 111 00:06:53,820 --> 00:06:57,050 It looks like this predefined rule covers the Echo 112 00:06:57,050 --> 00:07:01,340 Request ICMPv4‑in scenario pretty well. 113 00:07:01,340 --> 00:07:03,590 One complaint I have about this interface, 114 00:07:03,590 --> 00:07:06,830 I wish it were more searchable and filterable. Of course, 115 00:07:06,830 --> 00:07:10,620 you always could use PowerShell to write search queries, but 116 00:07:10,620 --> 00:07:14,390 it can be a little cumbersome, especially when you're on a production server, 117 00:07:14,390 --> 00:07:17,880 like a domain controller here. And you'll notice here that because 118 00:07:17,880 --> 00:07:22,190 this one I double‑clicked on is not an administrator‑created rule, 119 00:07:22,190 --> 00:07:24,540 but one that comes out of the box, 120 00:07:24,540 --> 00:07:28,150 some of the properties will be read only. You won't be able to adjust 121 00:07:28,150 --> 00:07:32,050 everything. But what I want to show you here is that you can go into a rule 122 00:07:32,050 --> 00:07:37,800 that's already been created, and you can override or make choices different 123 00:07:37,800 --> 00:07:40,530 from how it was set up when you created the rules. 124 00:07:40,530 --> 00:07:43,880 Something else I almost forgot to mention is that you attach 125 00:07:43,880 --> 00:07:46,550 your rules to those location profiles. 126 00:07:46,550 --> 00:07:51,770 So this particular allow ping, you may only want to come into play 127 00:07:51,770 --> 00:07:55,220 when the machine is connected to an Active Directory domain and 128 00:07:55,220 --> 00:07:58,780 not when you're in a private or public. Specifically, I wouldn't 129 00:07:58,780 --> 00:08:06,000 want a public link there, so I'll just choose Domain or Private and click OK to update that change.