Windows Firewall has been enabled by default since Windows XP sp2, but I still see deployments where it is turned off because of old habits where\u00a0it was difficult to determine how to allow applications through. With Windows 10 and Server 2019, most\u00a0needed firewall policies are already built in and it\u2019s relatively easy to set up access. But there can be times you should enhance the settings of the Windows firewall to better protect you from lateral movement and attackers.\u00a0 Here\u2019s what you need to know.Build rules to binaries or executablesIf an application needs a special rule, you should build it based on the binary or executable, not the port. This ensures that\u00a0the firewall opens\u00a0only when the application is active. If you build a firewall rule\u00a0using a port, that port remains open and exposes the system.\u00a0 Identify blocked applicationsWindows machines notify by default when an application is blocked. However, an IT administrator might want to use the event log to identify blocked applications rather than using the visual pop-ups in the system tray that can be easily missed. To determine which applications Windows Firewall blocks, first search the event logs\u00a0for event 5031, which indicates that Windows Firewall blocked an application from accepting incoming connections on the network. Use this event to detect applications for which no Windows Firewall rules exist.\u00a0Set up security monitoringIf you are using a security event log monitoring solution to monitor events, keep the following in mind:If you have a pre-defined application to perform the operation that was reported by this event, monitor events with \u201cApplication\u201d not equal to your defined application.Monitor whether \u201cApplication\u201d is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files).If you have a pre-defined list of restricted substrings or words in application names (for example, \u201cmimikatz\u201d or \u201ccain.exe\u201d), check for these substrings in \u201cApplication\u201d.Block PowerShell from internet accessYou can use Windows Firewall to block applications\u00a0accessing resources. As noted\u00a0in this SANS forum post, you can block PowerShell from accessing the\u00a0internet. This first rule below allows PowerShell to access a local subnet. The second rule drops traffic.C:>\u00a0netsh\u00a0advfirewall\u00a0firewall add rule name=\u201cPS-Allow-LAN"\u00a0dir=out \u00a0\u00a0 \u00a0remoteip=localsubnet\u00a0action=allow program="c:windowssystem32WindowsPowerShellv1.0powershell.exe" \u00a0\u00a0\u00a0 enable=yes\u00a0C:>\u00a0netsh\u00a0advfirewall\u00a0firewall add rule name=\u201cPS-Deny-All"\u00a0dir=out \u00a0\u00a0\u00a0 action=block program="c:windowssystem32WindowsPowerShellv1.0powershell.exe" \u00a0\u00a0\u00a0 enable=yes\u00a0This can protect your systems from attacks that leverage\u00a0PowerShell to call command-and-control computers to launch ransomware\u00a0and other attacks. PowerShell should not be removed but rather hardened and logged to ensure it\u2019s used as intended.You can also build rules for multiple versions of PowerShell: \u00a0C:>\u00a0for \/R %f in (powershell*.exe) do (\u00a0netsh\u00a0advfirewall\u00a0firewall add rule name=\u201cPS-Allow-LAN (%f)"\u00a0dir=out\u00a0remoteip=localsubnet\u00a0action=allow program=\u201c%f" enable=yes\u00a0netsh\u00a0advfirewall\u00a0firewall add rule name=\u201cPS-Deny-All (%f)"\u00a0dir=out action=block program=\u201c%f" enable=yes\u00a0)\u00a0 Susan BradleyFirewall rule to block PowerShell from internet accessYou\u2019ll see the resulting rule in the outbound firewall rule settings:\u00a0 Susan BradleyWindows Firewall rulesIf PowerShell is intentionally\u00a0made\u00a0to hide itself by calling the binary from another location\u00a0or by renaming itself, this process will not work. It will block attacks that target low-hanging fruit.Set firewall rules with PowerShellYou can set firewall rules with PowerShell as documented\u00a0by Microsoft. For\u00a0example,\u00a0to block outbound port 80 on a server, use the following PowerShell command:\u00a0New-NetFirewallRule\u00a0-DisplayName "Block Outbound Port 80" -Direction Outbound -LocalPort\u00a080 -Protocol TCP -Action Block\u00a0The basic properties you need to fill in are:\u00a0DisplayName \u2013 The friendly name of the firewall rule\u00a0Direction \u2013 Whether to block traffic leaving the computer (outbound) or coming into the computer (inbound)\u00a0Action \u2013 What action to take if the rule is met, allow or block\u00a0You can use many PowerShell modules to better control and manage\u00a0Windows Firewall. All are documented in the\u00a0Netsecurity\u00a0section.\u00a0Review new Windows 10 security baselinesDon\u2019t forget that with each version of Windows 10 Microsoft releases new\u00a0security baselines. As part of the baselines they include suggested firewall policies.\u00a0 Susan BradleyWindows 10 2004 baseline policiesBy\u00a0default,\u00a0inbound connections should be blocked\u00a0for domain profile and private profile.Audit settings regularlyFinally,\u00a0when reviewing the security status of your network, take a random sample of workstations on a regular basis and audit their settings. Review the firewall policies\u00a0on each sample workstation. I am often surprised about the applications that have built rules for themselves if I have forgotten to build blocking rules on a segment.