All Products
Search
Document Center

Configure Windows Firewall rules for Windows Server instances

Last Updated: Dec 15, 2020

Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

 

Overview

This article describes how to configure Windows Firewall rules for Windows Server instances.

 

Background

Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.

To configure Windows Firewall rules for Windows Server instances, perform the following steps:

Note: The following takes Windows Server 2008 as an example.  

 

Feature 1: Allow a program or feature to pass the Windows Firewall

  1. Establish a remote connection to a Windows instance.
  2. Choose Start > Control Panel > System and Security. In the System and Security window, click Windows Firewall.
  3. On the left side of the Windows Firewall window, click Allow a program or feature through Windows Firewall.
  4. Click allow another set of programs to run.
  5. In the Add a Program window, double-click the specified application in the Programs section. If you cannot find the specified application under this tab, click browse. In the file system, locate the application file, and double-click the File.

 

Feature 2: Allow or deny access to a specific local port

  1. Establish a remote connection to a Windows instance.
  2. Choose Start > Control Panel > System and Security. In the System and Security window, click Windows Firewall.
  3. Click Advanced settings.
  4. In the Windows Firewall with Advanced Security MMC snap-in, click Inbound Rules, and then click New Rule.
  5. On the Rule Type page that appears, select Port.
  6. Click Next. On the Protocol and Ports page that appears, select TCP or UDP as the protocol type, select Specific local ports, and then enter the number of the local port that you want to allow or deny, such as 8080.
  7. Click Next. On the Action page that appears, select Allow the connection or Block the connection.
    Note:
    • If the default inbound rule for the specified port is Allow, select Block the connection to disable the port.
    • If the default inbound rule for the specified port is Block, select Allow the connection to enable the port.
  8. Click Next. On the Profile page that appears, select where to apply the rule and click Next. On the Name page that appears, enter a name and description for the rule and click Finish.
    Note: By default, all profiles are selected. This option is determined by the network environment of the computer.

 

Feature 3. Block access from specific IP addresses

  1. Establish a remote connection to a Windows instance.
  2. Choose Start > Control Panel > System and Security. In the System and Security window, click Windows Firewall.
  3. Click Advanced settings.
  4. In the Windows Firewall with Advanced Security MMC snap-in, click Inbound Rules, and then click New Rule.
  5. On the Rule Type page that appears, select Custom and click Next.
  6. On the Program page that appears, select All programs or This program path, and click Next.
    Note: All programs indicates to match network packets sent or received by any program running on the local computer. This program path indicates to match network packets going to or from a specified program. Select All programs or This program path as required.
  7. On the Protocol and Ports page that appears, use the default settings and click Next.
  8. In the Which remote IP addresses does this rule apply to? section of the Scope page, select These IP addresses and click Add.
  9. Enter the IP address to match, click OK, and then click Next.
  10. On the Action page that appears, select Allow the connection or Block the connection.
  11. Click Next. On the Profile page that appears, select where to apply the rule and click Next. On the Name page that appears, enter a name and description for the rule and click Finish.

 

Feature 4: Allow specific IP addresses to access local ports

  1. Establish a remote connection to a Windows instance.
  2. Choose Start > Control Panel > System and Security. In the System and Security window, click Windows Firewall.
  3. Click Advanced settings.
  4. In the Windows Firewall with Advanced Security MMC snap-in, click Inbound Rules. Find the enabled local ports, right-click the specified port, and select Properties from the shortcut menu. Click the Scope tab. In the Remote IP address section, select These IP addresses.
  5. Click Add. Select This IP address or subnet, enter an IP address to match, and then click OK.

 

Feature 5: Block specific IP addresses or CIDR blocks from accessing the server

  1. Establish a remote connection to a Windows instance.
  2. Click Start, enter gpedit.msc, and then press the Enter key. The Local Group Policy Editor window appears.
  3. In the left-side navigation pane, double-click Computer Configuration > Windows Settings > Security Settings. Right-click IP Security Policy on Local Computer and select Create IP Security Policy from the shortcut menu. In IP Security Policy Wizard, click Next. On the IP Security Policy Name page that appears, enter the name and description of the IP security policy as prompted. Click Next. In the window that appears, click Next and then click Finish.
  4. Double-click the new IP security policy. In the window that appears, click Add. In Security Rule Wizard that appears, click Next.
  5. In the Specify the tunnel endpoint for the IP security rule section, select This rule does not specify a tunnel.
  6. Click Next. In the Select the network type section, select All network connections,.
  7. Click Next. In the "IP filter lists" section, click Add.
  8. In the IP Filter List window, specify the corresponding information as prompted, and then click Add to create a new IP filter.
  9. Select A specific IP Address or Subnet from the Source address drop-down list. In the IP Address or Subnet field, enter the specified IP address or CIDR block as prompted. Click Next.
  10. Select Any IP Address from the Destination address drop-down list and click Next.
  11. In the Select a protocol type section, select Any from the drop-down list and click Next. In IP Filter Wizard that appears, click Finish.
  12. In the IP Filter List section, select the new IP filter and click OK.
  13. On the Filter Action page that appears, click Next. Click Add to create a filter action.
  14. In Filter Action Wizard that appears, click Next. On the Filter Action Name page that appears, enter the name and description of the filter action. Click Next. On the Filter Action General Options page that appears, select Block. Click next and select not allow insecure communication. Click next and select integrity and encryption. Click next, and click finish.
  15. In Filter Action Wizard that appears, click Finish. Click OK. A rule used to prevent the specified IP address or CIDR block from accessing the server is added.

 

Application scope

  • ECS