1
00:00:03,030 --> 00:00:03,810
Okay.

2
00:00:04,650 --> 00:00:09,270
Now, what we're going to do is we're going to go ahead and do some Windows firewall policy.

3
00:00:10,160 --> 00:00:13,910
I've got a GPO that I created on the sales clients, O.U.

4
00:00:14,750 --> 00:00:20,750
I'm going to go ahead and edit that GPO and drill into computer configuration policies, windows settings,

5
00:00:20,750 --> 00:00:21,920
security settings.

6
00:00:22,820 --> 00:00:26,360
And you'll see here Windows Firewall with advanced security.

7
00:00:27,240 --> 00:00:31,650
And if I click on this note here, what it's going to do is show me this screen that I can then set

8
00:00:31,650 --> 00:00:37,620
various states of the Windows Firewall Connection Security or IPsec rules and then my inbound and outbound

9
00:00:37,620 --> 00:00:38,010
rules.

10
00:00:38,910 --> 00:00:43,890
The first thing I'm going to do is go into Windows firewall policy and this is where I can turn on or

11
00:00:43,890 --> 00:00:45,780
off firewall based on current state.

12
00:00:45,800 --> 00:00:49,290
So for the domain profile, what I'm going to do is I'm going to say turn it on.

13
00:00:49,290 --> 00:00:52,500
So the Windows firewall will be on when I'm on the corporate network.

14
00:00:53,390 --> 00:00:58,040
Now you'll see here for in-bound connections, the default is to block inbound connections.

15
00:00:58,940 --> 00:01:01,640
The default is to allow outbound connections.

16
00:01:02,570 --> 00:01:05,060
So I'm not going to change any of the defaults.

17
00:01:05,960 --> 00:01:11,540
And I can also do things like customize the firewall notifications, whether or not I allow unicast

18
00:01:11,540 --> 00:01:15,170
response to a multicast or broadcast and allow merging of rules.

19
00:01:15,170 --> 00:01:22,820
So that if I've got rules that have been set across multiple GPOs or within the local firewall, then

20
00:01:22,820 --> 00:01:27,800
I can merge the domain firewall rules with local firewall rules rather than overriding them.

21
00:01:28,670 --> 00:01:34,880
So anyway, let me go ahead and just set my default domain profile to be on and I'm going to set the

22
00:01:34,880 --> 00:01:37,220
public profile to be on as well.

23
00:01:38,110 --> 00:01:43,480
Now that those two are on, I've got Windows Firewall for the public and domain profiles turned on.

24
00:01:44,320 --> 00:01:47,020
I can go ahead and define some inbound rules.

25
00:01:47,950 --> 00:01:52,090
Now remember for the domain in public profiles with the Windows firewall on.

26
00:01:52,210 --> 00:01:54,490
That means no traffic can get inbound.

27
00:01:55,420 --> 00:01:58,720
So what I want to do here is is create a new inbound rule.

28
00:01:59,600 --> 00:02:05,360
And I can either use define a particular program that is allowed to connect inbound a particular port

29
00:02:05,390 --> 00:02:09,890
or I can do predefined services that Microsoft has provided or custom rules.

30
00:02:10,760 --> 00:02:15,740
And I like the predefined services because it's got a lot of things that I would normally want to do

31
00:02:15,740 --> 00:02:17,360
with a system covered here.

32
00:02:18,290 --> 00:02:22,550
So, for example, Windows management, instrumentation, WMI.

33
00:02:23,410 --> 00:02:29,860
I'd like to be able to do remote WMI management against workstations or servers that process this policy.

34
00:02:30,790 --> 00:02:37,510
So I'm going to create an exception for Windows management instrumentation, and you see that it actually

35
00:02:37,510 --> 00:02:41,500
creates three different rules for this particular exception that I've chosen.

36
00:02:42,310 --> 00:02:44,320
And I'm going to allow the connection.

37
00:02:45,190 --> 00:02:47,100
And now I have for all profiles.

38
00:02:47,110 --> 00:02:49,210
I now have these three rules created.

39
00:02:50,120 --> 00:02:53,510
Now, if I wanted to be selective about this, I could say so.

40
00:02:53,510 --> 00:02:56,720
Apply this to only some of the systems that I'm interested in.

41
00:02:57,610 --> 00:03:02,320
I could do advanced, so I could say here on under the advanced tab I can select.

42
00:03:03,250 --> 00:03:06,160
Well, I only want this to apply when I'm on the domain.

43
00:03:07,040 --> 00:03:14,210
I don't want to open up WMI for users that are on public networks, so go ahead and specify it only

44
00:03:14,210 --> 00:03:15,560
for the domain profile.

45
00:03:16,420 --> 00:03:18,610
And I can do that for this one as well.

46
00:03:19,560 --> 00:03:21,300
So all of them are the same.

47
00:03:22,170 --> 00:03:26,070
And now I've created an exception for the default inbound profile.

48
00:03:26,950 --> 00:03:29,800
That allows WMI traffic to get through.

49
00:03:30,670 --> 00:03:35,350
And that's really as simple as it is for creating rules and configuring the firewall.

50
00:03:36,250 --> 00:03:43,000
And you can, you know, set these in multiple GPOs or you can define them all in a single GPO, which

51
00:03:43,000 --> 00:03:47,500
I actually I typically recommend keeping all of your firewall settings together.

52
00:03:48,410 --> 00:03:52,130
Unless you have lots of different kinds of rules that you need to apply.

53
00:03:52,960 --> 00:03:58,270
As an example, you might have a set of firewall rules for workstations that are vastly different than

54
00:03:58,270 --> 00:04:02,380
those for servers, which is completely understandable.

55
00:04:03,280 --> 00:04:06,610
So putting those into separate GPOs makes total sense.