Windows Firewall Configuration

Windows Firewall blocks unsolicited inbound network connections at the host level. When it is disabled or misconfigured, devices become reachable on any open port — both from the internet and from other devices on the same local network. This is the primary mechanism attackers use for lateral movement after compromising one endpoint: they scan the internal network for exposed SMB, RDP, WMI, and admin share ports on devices where the firewall is off.

Disabling the firewall is a common outcome in misconfigured enterprise builds where IT teams turn it off to avoid troubleshooting application connectivity issues. This leaves every device on the same network segment reachable by any other compromised host, dramatically lowering the cost of a ransomware operator moving from patient zero across the rest of the organisation.

Windows Firewall has three distinct profiles — Domain, Private, and Public — and all three need to be active. Devices that roam between coffee shops, home networks, and the corporate network are at particular risk if only the Domain profile is enforced.

When Windows Firewall is disabled or set to allow all inbound traffic, attackers can:

• Scan internal devices for open SMB (445), RDP (3389), WMI, and admin share ports and connect to them directly without needing credentials if those services have vulnerabilities.
• Move laterally from a single compromised endpoint to any other device on the same network that has the firewall off — a key step in ransomware deployment.
• Use exposed administrative shares (C$, ADMIN$) to deploy malware payloads or run remote commands across multiple machines simultaneously.
• Exploit the Public network profile gap: a device that has the Domain profile firewall enforced but Public profile disabled is fully exposed whenever it connects to a non-domain network (home Wi-Fi, coffee shop, hotel).

Enable and enforce Windows Firewall settings via Intune Endpoint Security:

1. Audit current firewall state — in Intune, navigate to Endpoint Security → Firewall. Review devices reporting firewall as off across any of the three profiles.
2. Create a Firewall policy — in Endpoint Security → Firewall, create a new Microsoft Defender Firewall policy for Windows 10/11. Enable all three profiles (Domain, Private, Public) and set Default Inbound Action to Block for each.
3. Enable stealth mode — set Disable Stealth Mode = Not configured (leave stealth active) for all profiles. This reduces the device's network footprint on untrusted networks.
4. Pilot before broad rollout — assign the policy to a pilot group first. Monitor for application connectivity issues. Common sources of breakage: custom LOB apps using unusual inbound ports, remote desktop tools, print sharing, and network discovery for file shares.
5. Create inbound rules for legitimate traffic — if specific applications require inbound access, add explicit allow rules in the same Firewall policy rather than disabling the firewall entirely. Scope rules to specific ports, protocols, and source addresses where possible.
6. Roll out to all devices — once the pilot is stable, assign to all device groups. Windows Firewall enforcement via Intune takes precedence over local Group Policy and cannot be disabled by standard users.
7. Include in compliance policy — add a firewall-enabled compliance condition in Intune so non-compliant devices are flagged for Conditional Access enforcement.