This topic describes Windows Firewall with Advanced Security (WFAS), its application scenarios, and common operations.


As an important part of the hierarchical security model, WFAS was launched after Windows NT6.0 by Microsoft. WFAS blocks unauthorized traffic that flows in or out of local computers by providing bi-directional filtering based on the current connection status. WFAS also uses Network Location Awareness (NLA) to apply the corresponding firewall profile to the computer based on its current connection status. The security rules of Windows Firewall and Internet Protocol Security (IPsec) are configured in the Microsoft Management Console (MMC) snap-in, and WFAS is also an important part of the network isolation policy.

Application Scenario

More and more O&M personnel are reporting that servers are attacked and passwords are cracked, which in most cases, are due to the “backdoor” left open to “intruders”. Intruders scan open ports on your computers and penetrate them through vulnerable ports, for example, the remote port 3389 in Windows and the remote port 22 in Linux. Now that we know where the problem is, we can take the effective countermeasure. Specifically, we can close these “backdoors” by modifying the default remote ports and restricting remote access. So how do we restrict remote access? Now let's demonstrate how to restrict the remote desktop connection by taking an ECS instance (Windows Server 2008 R2) for example.


  1. View the Windows Firewall status

    Windows Firewall of the ECS instance is disabled by default. You can press Win+R to open the Run window, enter firewall.cpl, and then press Enter to open the Windows Firewall console, as shown below.

    Enable or disable Windows Firewall.

    As shown below, Windows Firewall is disabled by default.

  2. Enable Windows Firewall

    Enable Windows Firewall through the previous steps, as shown below.

    Before enabling Windows Firewall, make sure the remote port is open in the inbound rules, or you cannot establish the remote connection even yourself. WFAS, however, opens RDP port 3389 in its inbound rules by default. Select Advanced settings.

    Select Inbound Rules. We can see that the Open RDP Port 3389 rule is enabled by default.

  3. Configure WFAS

    Press Win+R to open the Run window, enter wf.msc, and then press Enter to open the WFAS window, as shown below.

    1. Create an inbound rule manually

      In the New Inbound Rule Wizard window, select Port and click Next.

      Select TCP and set Specific Local Ports to 3389.

      Click Next and select Allow the connection.

      Click Next and keep the default configurations.

      Click Next and enter the rule name (for example, "RemoteDesktop"), and click Finish.

      The new rule is shown in the Inbound Rule list.

      With the above steps, the remote port is added to WFAS, but access restriction is still not implemented. Let's implement it now.

    2. Configure the IP address scope

      Right-click the just created inbound rule, and select Properties in the context menu. In the displayed dialog box, click the Scope tab. Then add the remote IP addresses that can access this ECS instance. Note that once the IP address settings here are enabled, other IP addresses will be unable to access this ECS instance.

      Add remote IP addresses.

    3. Validate the IP address scope

      Let's add an IP address arbitrarily in the Remote IP address box and see what happens to the remote connection.

      The remote connection is down.

      If the remote connection is still up, we can just disable the Open RDP Port 3389 rule.

      If the remote connection is down, it means that the IP address scope has taken effect. However, we cannot connect to the ECS instance ourselves now. What should we do? We now can turn to the ECS console. Log on to the ECS console, and replace the remote IP address previously configured in the Scope tab with our own address (enter the Internet address unless your work environment is connected to Alibaba Cloud). You can connect to the ECS instance again now.

      Enter the ECS console, find the corresponding instance, and then connect to it.

      Log on to the ECS instance.

      Modify the remote IP address in the Scope tab of the RemoteDesktop rule in the same way. Specifically, replace with our own IP address.

      Now we can connect to the ECS instance normally after adding our IP address. If you do not know your Internet address, you can click here to view it.

      The above steps implement remote access restriction on an ECS instance through WFAS. For other services and ports, restrictions can be implemented in the same way, for example, disabling ports 135, 137, 138, and 445 that are not used frequently, limiting access to FTP and related services, and more, thus maximizing the protection of ECS instances.

Command line operations

  1. Export the firewall configurations to a file.
    netsh advfirewall export c:\adv.pol
  2. Import the firewall configuration file to the system.
    netsh advfirewall import c:\adv.pol
  3. Restore the default firewall settings.
    Netsh advfirewall reset
  4. Disable the firewall.
    netsh advfirewall set allprofiles state off
  5. Enable the firewall.
    netsh advfirewall set allprofiles state on
  6. Configure to block inbound traffic and allow outbound traffic by default in all configuration files.
    netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
  7. Delete the rule named “ftp”.
    netsh advfirewall firewall delete rule name=ftp
  8. Delete all inbound rules for local port 80.
    netsh advfirewall firewall delete rule name=all protocol=tcp localport=80
  9. Add the RemoteDesktop rule to allow port 3389.
    netsh advfirewall firewall add rule name=RemoteDesktop (TCP-In-3389) protocol=TCP dir=in localport=3389 action=allow


How to restrict the access of ports/IP addresses/applications using Windows 2008/2012 Firewall?

More open source software are available at Alibaba Cloud Marketplace.