If you ever feel that someone may be trying to break into your FTP or IIS server or know an IP address that you want to block from accessing your server there is a built in firewall on all of our 2008-2012 Windows servers. You can use this firewall to block either a range of IP addresses or a single address. Turning Windows Firewall On
A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, which are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security:
- Domain Profile – Applied to a network adapter when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined.
- Private Profile – Applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network. A private network is one that is not connected directly to the Internet, but is behind some kind of security device, such as a network address translation (NAT) router or hardware firewall. For example, this could be a home network, or a business network that does not include a domain controller. The Private profile settings should be more restrictive than the Domain profile settings.
- Public Profile – Applied to a network adapter when it is connected to a public network such as those available in airports and coffee shops. When the profile is not set to Domain or Private, the default profile is Public. The Public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be controlled. For example, a program that accepts inbound connections from the Internet (like a file sharing program) may not work in the Public profile because the Windows Firewall default setting will block all inbound connections to programs that are not on the list of allowed programs.
Each network adapter is assigned the firewall profile that matches the detected network type. For example, if a network adapter is connected to a public network, then all traffic going to or from that network is filtered by the firewall rules associated with the Public profile.
- Click on “Windows Firewall Properties” to enable the firewall using the “Public Profile” because this interface faces the public network.
- Click on the “Public” tab to enable the firewall services for this profile.
- Click on the “Customize” button (under State) to select the Protected Network Connections that should be protected. Click OK.
Notice: I’m not interested in protecting the Mgmnt Subnet interface that’s on the private network. I’m only concerned with the the DMZ subnet.
- Click on the “Customize” button (under Logging) to enable firewall logging.
- Select Yes for Log Dropped Packets. Click OK, then click OK again to close the Profile Configuration Dialogue
Your Windows Firewall should be active and you should be ready to create individual connection rules to meet your needs.
Using the GUI
- Log into your server via RDP.
- Click on start > administrative tools > windows firewall with advanced security.
- On the left side of the firewall window click on the inbound rules option.
- On the right side of the screen click on New Rule.
- Click on the custom radio button and then click next.
- Make sure the All programs radio is selected then click next.
- On the protocol and ports options leave everything at its defaults and click next.
- On the scope screen you will see two boxes the top one is for local IP addresses and the bottom is for remote IP addresses. In this scenario we are trying to block an outside (remote) IP from accessing anything on the server so we will need to add the IP address to this section only as it will not be a local IP address.
- Click on the radio that says “these IP addresses ” in the remote section as shown below:
Let’s block some offenders:
- Click on the Add button.
- In the next window we will be adding a single IP address to the rule, you can also add an entire range at this point if you wish. example: 22.214.171.124/8
- Click ok, click next.
- Make sure you select the Block the connection radio on the next screen and then click next.
- Leave all of the options on the next screen checked this will be sure to block the IP no matter the connection they are trying to use. Click next.
From the CLI
- You can get current firewall status from this command:
netsh advfirewall firewall show rule name="IP Block - FTP Abusers"
- Even better, update the rule to block all international IP’s
netsh advfirewall firewall set rule name="IP Block - FTP Abusers" new remoteip="126.96.36.199/8,188.8.131.52/8,184.108.40.206/8,220.127.116.11/8,18.104.22.168/8,22.214.171.124/8, 126.96.36.199/8,188.8.131.52/8,184.108.40.206/8,220.127.116.11/8,18.104.22.168/8,22.214.171.124/8,126.96.36.199/8, 188.8.131.52/8,184.108.40.206/8,220.127.116.11/8,18.104.22.168/8,22.214.171.124/8,126.96.36.199/8, 188.8.131.52/8,184.108.40.206/8,220.127.116.11/8,18.104.22.168/24,22.214.171.124/24, 126.96.36.199/8,188.8.131.52/8,184.108.40.206/8,220.127.116.11/8,18.104.22.168/8,22.214.171.124/8, 126.96.36.199/8,188.8.131.52/8,184.108.40.206/8,220.127.116.11/8,18.104.22.168/8,22.214.171.124/8, 126.96.36.199/8,188.8.131.52/8,184.108.40.206/8,220.127.116.11/8,18.104.22.168/8,22.214.171.124/8, 126.96.36.199/8,188.8.131.52/8,184.108.40.206/8,220.127.116.11/8,18.104.22.168/8,22.214.171.124/8"
“Brute Force Password” attacks and “DDoS” attacks have dwindled significantly since employing these rules.