Windows Firewall blocks unsolicited inbound network connections at the host level. When it is disabled or misconfigured, devices become reachable on any open port — both from the internet and from other devices on the same local network. This is the primary mechanism attackers use for lateral movement after compromising one endpoint: they scan the internal network for exposed SMB, RDP, WMI, and admin share ports on devices where the firewall is off.
Disabling the firewall is a common outcome in misconfigured enterprise builds where IT teams turn it off to avoid troubleshooting application connectivity issues. This leaves every device on the same network segment reachable by any other compromised host, dramatically lowering the cost of a ransomware operator moving from patient zero across the rest of the organisation.
Windows Firewall has three distinct profiles — Domain, Private, and Public — and all three need to be active. Devices that roam between coffee shops, home networks, and the corporate network are at particular risk if only the Domain profile is enforced.
When Windows Firewall is disabled or set to allow all inbound traffic, attackers can:
Windows Firewall being disabled or misconfigured is rarely acceptable. The following are the narrow exceptions.
Before enforcing firewall policy or modifying existing rules:
Enable and enforce Windows Firewall settings via Intune Endpoint Security:
Overe actively monitors and remediates this risk area. The following controls can be deployed and tracked in app.overe.io:
Microsoft: Configure Windows Firewall with Intune - https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-firewall-policy
Microsoft: Windows Defender Firewall with Advanced Security - https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/
Microsoft: Intune Endpoint Security Firewall profile settings - https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-firewall-profile-settings
After reviewing Windows Firewall configuration, also check these related risk areas: