All Products
Search
Document Center

:Best practices for Windows Firewall with Advanced Security

Last Updated:Mar 07, 2024

When an intruder scans for an exploitable open port such as port 3389 for Windows or port 22 for Linux on an Elastic Compute Service (ECS) instance, the intruder uses the port to attack the instance. To prevent the attack, you can change the default remote port on the instance or restrict remote access from specific IP addresses to the instance. This topic describes how to use Windows Firewall with Advanced Security (WFAS) to restrict remote access from specific IP addresses to an ECS instance. In this topic, an ECS instance that runs Windows Server 2012 R2 is used.

Background information

Instruction to WFAS

WFAS is a powerful firewall tool built into the Windows operating system to protect your computer from network attacks and malicious behavior. WFAS can monitor network traffic and allow or block specific network connections based on preset rules to enhance computer security. WFAS is an important part of a layered security model.

Features and characteristics of WFAS

WFAS provides host-based bidirectional network traffic filtering to block unauthorized network traffic that attempts to flow into or out of an on-premises computer. WFAS works with Network Awareness to apply corresponding security settings to the network to which the computer is connected. WFAS integrates Windows Firewall and Internet Protocol Security (IPsec) settings into the Microsoft Management Console (MMC). Therefore, WFAS is an important part of the network isolation strategy.

Note

The procedure described in this topic is inapplicable to ECS instances that run Windows Server 2016. For ECS instances that run Windows Server 2016, we recommend that you add security group rules to restrict remote access sources. For more information, see Add a security group rule. For information about use cases of security groups, see the "Security group rules for restricting access from instances to external websites" section in Security groups for different use cases.

Use MMC to configure WFAS

  1. Connect to a Windows instance.

    For more information, see Connect to a Windows instance by using a password.

  2. Enable the firewall.

    1. Press the shortcut keys Win+R to open the Run window.

    2. Enter firewall.cpl and click OK.

    3. On the left side of the Windows Firewall window, click Turn Windows Firewall on or off to view the firewall status.

      Note

      By default, the firewall is disabled.

    4. Select Turn on Windows Firewall for each network type and click OK.

  3. Check Remote Desktop Protocol (RDP) port 3389.

    1. Press the shortcut keys Win+R to open the Run window.

    2. Enter wf.msc and click OK.

    3. On the left side of the Windows Firewall with Advanced Security window, click Inbound Rules. The Open RDP Port 3389 inbound rule is displayed, which indicates that the default open port is 3389.

  4. Add RDP port 3389 to Windows Firewall with Advanced Security.

    1. In the Actions section, click New Rule. The New Inbound Rule Wizard dialog box is displayed.

    2. In the Rule Type step, select Port and click Next.

    3. In the Protocol and Ports step, select TCP as the protocol, select Specific local ports option, enter 3389 in the field, and then click Next.

    4. Select Allow the connection and click Next.

    5. Retain the default settings and click Next.

    6. Enter a rule name. In this example, RemoteDesktop is used. Click Finish.

  5. Configure the scope.

    1. In the Windows Firewall with Advanced Security window, right-click the inbound rule named RemoteDesktop and select Properties.

    2. On the Scope tab, select These IP addresses: in the Remote IP Address section, add one or more IP addresses or CIDR blocks, and then click OK.

      Important

      After the scope parameters are set, remote connections are allowed only from the IP addresses that you specified in the scope.

  6. Verify the scope. Add an IP address to the Remote IP address section. Then, click OK.

    • If the connection is automatically disconnected, the scope is in effect.

    • If the connection is unaffected, right-click the Open RDP Port 3389 inbound rule and select Disable Rule.

      Important

      If you disable the Open RDP Port 3389 inbound rule for port 3389, you cannot connect to the instance by using Workbench. If you want to re-enable port 3389, use Virtual Network Computing (VNC) to connect to the Windows instance and enable the Open RDP Port 3389 inbound rule. For more information, see Connect to an instance by using VNC.

  7. Connect to the ECS instance by using VNC and replace the remote IP address in the scope with the public IP address of your on-premises computer to restore the connection.

    1. Connect to the Windows instance by using VNC.

      For more information, see Connect to an instance by using VNC.

    2. In the scope that is defined in the RemoteDesktop inbound rule, change the remote IP address to the public IP address of your on-premises computer. For more information, see the Configure the scope step in this topic.

      Note

      In this case, only the public IP address of your on-premises computer can be used to connect to the ECS instance. This way, WFAS restricts remote access sources.

Use CLI to configure WFAS

You can run the netsh command in CLI to configure WFAS. This section provides the following sample netsh commands for different scenarios:

  • Export the firewall configuration file.

    netsh advfirewall export c:\adv.pol
  • Import the firewall configuration file.

    netsh advfirewall import c:\adv.pol
  • Restore the default settings of the firewall.

    netsh advfirewall reset
  • Disable the firewall.

    netsh advfirewall set allprofiles state off
  • Enable the firewall.

    netsh advfirewall set allprofiles state on
  • Configure the default firewall policy that applies to all configuration files to block inbound traffic and allow outbound traffic.

    netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
  • Delete the rule named ftp.

    netsh advfirewall firewall delete rule name=ftp
  • Delete all inbound rules for port 80.

    netsh advfirewall firewall delete rule name=all protocol=tcp localport=80
  • Add an inbound rule for the remote desktop to allow traffic from port 3389.

    netsh advfirewall firewall add rule name=remote desktop (TCP-In-3389) protocol=TCP dir=in localport=3389 action=allow