IT Connect

Information technology tools and resources at the UW

Managing Windows Firewall with GPOs

Managing Windows Firewall settings at scale saves time while broadly providing protection from internet based attackers. This document describes how delegated OU customers can create and update a group policy object which uses current definitions of the UW network. This can be useful in only allowing specific network access from computers on the UW network.

Creating a GPO to enable Windows Firewall settings using GPMC.MSC

Creating a GPO to enable Windows Firewall settings with Powershell

Updating an existing GPO for Windows Firewall with Powershell

 

Creating a GPO to enable Windows Firewall settings using GPMC.MSC

This particular example enables TCP port 8888 for all of UW Campus

Using gpmc.msc, navigate to the OU where you want the GPO applied. Right-click and select “Create a GPO in this domain, and Link it here”. Ensure you are following the GPO naming conventions as detailed here: https://itconnect.uw.edu/wares/msinf/design/policy/ou-practices/#groupPolicy

In the right pane, “Edit” your new GPO. Navigate to the Windows Firewall section under Computer Configuration->Policies->Windows Settings->Security Settings->Windows Firewall with Advanced Security. Right-click Inbound Rules and select “New Rule”

Select “Custom” for Rule Type.

For Protocol and Ports, select TCP and enter 8888 for specific local ports. You can enter multiple ports or port ranges in these boxes.

For Scope, enter the subnets as defined by UW Network Operations in the remote IP addresses section. The full list can be found at https://wiki.cac.washington.edu/display/UWNOC/IP+Address+Space+Usage

Click through the wizard adjusting as necessary and provide a Name. In this example, the name “Allow TCP 8888 – UW Campus”

 

Creating a GPO to enable Windows Firewall settings with Powershell

The following PowerShell code sample can be used to create a group policy object with the Windows Firewall settings.

The code references CampusIpRanges.txt which contains a list of current IP address ranges as managed by UW-IT’s Network Operations team. This list is reviewed for accuracy quarterly. Changes will also be made when we are notified of changes to the following authoritative source: https://wiki.cac.washington.edu/display/UWNOC/IP+Address+Space+Usage

# Sample Powershell code to parse an existing text file with UW Campus IP ranges and create a GPO enabling Windows Firewall

# Current list of UW Campus IP ranges can be found at \\netid.washington.edu\netlogon\CampusIpRanges.txt

#

$IpAddressListFile = '\\netid.washington.edu\netlogon\CampusIpRanges.txt'

$UwCampusIps = New-Object Collections.Generic.List[String]

$lines = Get-Content $IpAddressListFile

foreach ($line in $lines) {

   if ($line -match "^s*#") {

      continue }

   elseif ($line -match "^s*$") {

      continue }

   elseif ($line -match "^([0-9./:a-f]{7,25})s*(#.*)?$") {

      Write-Output $matches[1] $UwCampusIps.Add($line) }

   else {

       Write-Output ("IGNORED: " + $line) }

}

#

# to create a GPO called "uwit: WindowsHosting: Firewall TCP 8888" which allows inbound TCP 8888 from UW Campus IPs and link it to the OU of Delegated/uwit/WindowsHosting

#

$FwRule = "Allow TCP 8888 - UW Campus"

$GpoName = "uwit: WindowsHosting: Firewall TCP 8888"

$TargetOU = "OU=WindowsHosting,OU=uwit,OU=Delegated,DC=netid,DC=washington,DC=edu"

$PolicyStoreName = "netid.washington.edu\" + $GpoName

New-Gpo -Name $GpoName | New-Gplink -target $TargetOU

$GpoSessionName = Open-NetGPO –PolicyStore $PolicyStoreName

New-NetFirewallRule -DisplayName $FwRule -RemoteAddress $UwCampusIps -Direction Inbound -GPOSession $GpoSessionName -PolicyStore $GpoName -Protocol TCP -LocalPort 8888

Save-NetGPO -GPOSession $GpoSessionName

 

Updating an existing GPO for Windows Firewall with Powershell

Using sample code found in \\netid.washington.edu\netlogon\CampusIpRanges.txt as a reference, you can use Powershell to either perform a one-time update of an existing GPO or customize it to run as a script to dynamically update your rules as changes occur in the UW Campus IP address space.

CampusIpRanges.txt contains a list of current IP address ranges as managed by UW-IT’s Network Operations team. This list is reviewed for accuracy quarterly. Changes will also be made when we are notified of changes to the following authoritative source: https://wiki.cac.washington.edu/display/UWNOC/IP+Address+Space+Usage