Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services.
Privacy policy. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs. For other inbound port rule types, see:. Note: Although you can create rules by selecting Program or Port , those choices limit the number of pages presented by the wizard.
If you select Custom , you see all of the pages, and have the most flexibility in creating your rules. On the Program page, click All programs , and then click Next. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Computer NTLMv2. Selecting this option tells the device to use and require authentication of the device by using its domain credentials.
This option works only with other devices that can use AuthIP. Computer certificate from this certification authority CA. Selecting this option and entering the identification of a CA tells the device to request authentication by using a certificate that is issued by the specified CA.
If you also select Accept only health certificates , then only certificates issued by a NAP server can be used for this rule. Preshared key not recommended. Selecting this method and entering a pre-shared key tells the device to authenticate by exchanging the pre-shared keys.
If the keys match, then the authentication succeeds. This method is not recommended, and is included for backward compatibility and testing purposes only. If you select First authentication is optional , then the connection can succeed even if the authentication attempt specified in this column fails. User Kerberos V5. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials.
User NTLMv2. Selecting this option tells the device to use and require authentication of the currently logged-on user by using his or her domain credentials, and uses the NTLMv2 protocol instead of Kerberos V5.
User health certificate from this certification authority CA. Maintain the default settings in Windows Defender Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios.
One key example is the default Block behavior for Inbound connections. In many cases, a next step for administrators will be to customize these profiles using rules sometimes called filters so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.
The interface for adding a new rule looks like this:. This article does not cover step-by-step rule configuration. In many cases, allowing specific types of inbound traffic will be required for applications to function in the network.
Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions. More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2.
For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.
Because of 1 and 2, it is important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow.
A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.
Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. As there is a default block action in Windows Defender Firewall, it is necessary to create inbound exception rules to allow this traffic. It is common for the app or the app installer itself to add this firewall rule. Otherwise, the user or firewall admin on behalf of the user needs to manually create a rule.
If there are no active application or administrator-defined allow rule s , a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network.
If the user has admin permissions, they will be prompted. If they respond No or cancel the prompt, block rules will be created. If the user is not a local admin, they will not be prompted.
0コメント