Windows - Security - Windows Firewall Management

What the Windows Firewall Standardization Worklet does

This Automox Worklet™ standardizes Windows Firewall configuration through simplified port rule management. Rather than manually creating firewall rules through the Windows Firewall interface, you configure a list of ports to block or allow, and the Worklet applies those rules across specified firewall profiles (Public, Private, and Domain).

The Worklet supports common network services including HTTP (port 80), HTTPS (port 443), FTP (port 21), SFTP (port 22), SMB (port 445), RDP (port 3389), SMTP (port 25), SMTPS (port 587), SMTPSSL (port 465), IMAP (port 143), IMAPS (port 995), and Kerberos (port 88). It validates whether the firewall itself is enabled or disabled across all profiles, giving you complete control over both rule enforcement and firewall enablement status.

A key feature is intelligent rule conflict resolution. When you move a port from the allow list to the block list (or vice versa), the Worklet automatically removes the conflicting rule, preventing block rules from taking unintended precedence over allow rules. This prevents configuration inconsistencies and simplifies rule management across your organization.

Why standardize Windows Firewall across your organization

Inconsistent firewall policies across endpoints create exploitable gaps where attackers probe for exposed services. When some endpoints block port 445 (SMB) while others leave it open, attackers use network scanning to identify vulnerable systems for lateral movement. Organizations face compliance failures during audits when firewall configurations drift from documented standards, and manual rule management becomes impossible to maintain consistently across hundreds or thousands of endpoints.

Standardizing firewall rules through Automox means every endpoint in your organization follows the same security policies. This reduces your attack surface, simplifies troubleshooting network connectivity issues, and provides an auditable record of what rules are deployed across your infrastructure. By controlling which ports are exposed, you align with security frameworks like CIS Benchmarks and NIST 800-53 guidelines.

You also reduce the time administrators spend managing firewall rules manually. Instead of logging into each endpoint, the Worklet applies policies consistently across your entire estate, whether you have ten endpoints or ten thousand.

How Windows Firewall standardization works

1. Evaluation phase: The Worklet checks the current firewall status for each configured profile and verifies that all required port rules exist. It detects when expected block rules are missing, when allow rules are missing, or when a block rule is preventing an allow rule from taking effect by testing each port against Get-NetFirewallRule and Get-NetFirewallPortFilter cmdlets.

2. Remediation phase: The Worklet creates firewall rules using New-NetFirewallRule PowerShell cmdlets for any ports that require blocking or allowing. It removes conflicting rules so allow rules take precedence when needed, enables or disables the firewall itself based on your configuration using Set-NetFirewallProfile, and applies rules to all specified profiles (Public, Private, and Domain). Rules created by this Worklet are labeled "AUTOMOX WORKLET: [Protocol][Port]" for easy identification and management.

Windows Firewall standardization requirements

• Windows 8 or later, or Windows Server 2012 or later

• PowerShell 3.0 or later

• Administrator or elevated privileges required to create, modify, or remove firewall rules

• Configure the $targetProfile variable to specify which profile(s) to apply rules to: Any (applies to Public, Private, and Domain), Public only, Private only, or Domain only

• Configure the $targetState variable to enforce firewall enablement: 1 for enabled, 0 for disabled, or $null to skip firewall state enforcement

• List desired ports in $portsToBlock or $portsToAllow using the service names defined in the script (HTTP, HTTPS, FTP, SFTP, SMB, RDP, SMTP, SMTPS, SMTPSSL, IMAP, IMAPS, Kerberos)

Expected firewall state after standardization

After the Worklet runs, your endpoints will have standardized firewall rules applied to the specified profiles. Ports you designated for blocking will no longer accept inbound connections on those ports, and ports configured for allowing will accept traffic. The firewall itself will be enabled or disabled according to your $targetState setting.

Verification: Run Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*AUTOMOX WORKLET*"} in PowerShell to list all Worklet-created rules. Check firewall status with Get-NetFirewallProfile to confirm the enabled/disabled state matches your configuration. Test port blocking by attempting a connection to a blocked port using Test-NetConnection -ComputerName localhost -Port 80 which should fail if port 80 is blocked. Conflicting rules are automatically removed, leaving only the intended configuration.

How to validate windows firewall management changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for windows firewall management.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as New-ACE, New-NetFirewallRule, Out-Null.

4. Validate remediation effects from script operations such as New-ACE, New-NetFirewallRule, Out-Null, then rerun evaluation for compliance.