How to Configure Windows Firewall for Maximum Security

Let’s talk about Windows Firewall. Here’s the thing most people don’t realize: it’s one of your most powerful security tools, and it’s already running on your PC. But in my years of securing corporate networks and consulting with home users, I’ve seen countless systems where it’s configured incorrectly—leaving users vulnerable even though they think they’re protected.

This guide shows you how to actually configure Windows Firewall properly—not the complicated enterprise setups I used to deploy for businesses, but practical security that works for everyday use. Combined with proper privacy settings, you’ll have a solid foundation that blocks real threats without breaking your favorite programs.

What is Windows Firewall?

Windows Firewall monitors and controls network traffic entering and leaving your computer. According to Microsoft’s official documentation, it:

• Blocks unauthorized incoming connections
• Can control outgoing connections (with advanced settings)
• Works with different network types (Public, Private, Domain)
• Integrates with Windows Defender for enhanced protection

Quick Security Check

Before diving into configuration, verify your firewall is active:

1. Open Windows Security from the Start menu
2. Click Firewall & network protection
3. Ensure firewall is ON for all three network types:
   • Domain networks
   • Private networks
   • Public networks

Warning: Never turn off Windows Firewall unless you have a specific technical reason and alternative protection.

Understanding Network Profiles

Windows uses three network profiles with different security levels. Microsoft’s best practices guide explains how each profile balances security and functionality:

Domain Networks

• Connected to a corporate domain
• Managed by IT administrators
• Most permissive (assumes trusted environment)

Private Networks

• Home and work networks you trust
• Medium security level
• Allows file sharing and network discovery

Public Networks

• Coffee shops, airports, hotels
• Highest security level
• Blocks file sharing and network discovery

Best Practice: Always select “Public” when connecting to untrusted networks.

Here’s the thing about Public networks that I tell every client: I’ve seen people get their data stolen at coffee shops because they selected “Private” to get file sharing working. Don’t do this. If you need to share files, wait until you’re on your home network. The five minutes of inconvenience beats dealing with a compromised account.

Basic Firewall Configuration

Changing Network Profile

If Windows incorrectly identifies your network:

1. Go to Settings > Network & Internet
2. Click on your network connection
3. Under Network profile type, choose:
   • Public for untrusted networks
   • Private for home networks

Allowing Apps Through Firewall

Some programs need network access to function:

1. Open Windows Security > Firewall & network protection
2. Click Allow an app through firewall
3. Click Change settings
4. Check boxes for apps you trust:
   • Check Private for home network access
   • Check Public only if needed on untrusted networks
5. Click OK to save

Security Tip: Only allow apps on Public networks if absolutely necessary.

Blocking an App

To prevent a program from accessing the internet:

1. Open Windows Defender Firewall with Advanced Security
2. Click Outbound Rules in left panel
3. Click New Rule in right panel
4. Select Program, click Next
5. Browse to the program’s .exe file
6. Select Block the connection
7. Check all profiles (Domain, Private, Public)
8. Name the rule and click Finish

Advanced Firewall Settings

Access advanced settings:

1. Press Windows + R
2. Type wf.msc and press Enter
3. Windows Defender Firewall with Advanced Security opens

Creating Inbound Rules

Block specific ports or IP addresses:

Block a Port:

1. Click Inbound Rules > New Rule
2. Select Port, click Next
3. Choose TCP or UDP
4. Enter specific port number
5. Select Block the connection
6. Apply to all profiles
7. Name the rule descriptively

Block an IP Address:

1. Create new Inbound Rule
2. Select Custom
3. Choose All programs
4. Under Scope, add IP address to block
5. Select Block the connection
6. Apply to all profiles

Creating Outbound Rules

Control which programs can access the internet:

1. Click Outbound Rules > New Rule
2. Follow similar process to inbound rules
3. Use to block:
   • Telemetry and tracking (see our Privacy Settings guide for more ways to reduce data collection)
   • Unwanted app updates
   • Programs that shouldn’t access internet

Monitoring Active Connections

See what’s currently connected:

1. In Advanced Firewall, click Monitoring
2. Expand Firewall to see active rules
3. Expand Security Associations for VPN connections

Recommended Security Rules

Block Common Attack Vectors

Create these inbound rules for extra security. As outlined in Microsoft’s SMB security guidance, blocking unused network services reduces your attack surface. In my consulting work, these are the first rules I create on every system I configure:

Block Legacy NetBIOS (if not needed on network):

NetBIOS is a protocol from the 1980s—think of it as an unlocked back door that modern Windows systems don’t even need anymore. Most home users have zero legitimate reason for NetBIOS to be open, but it’s still active by default.

• Block UDP ports 137, 138
• Block TCP port 139

Restrict SMB/CIFS (if not using file sharing):

• Block TCP port 445 from internet traffic
• Note: Keep enabled on trusted networks for file sharing and network discovery
• If you want to completely disable file sharing services, see our guide on disabling unnecessary Windows services

Block Remote Desktop (if not used):

• Block TCP port 3389

Block Telnet:

• Block TCP port 23

Enable Logging

Track blocked and allowed connections. Microsoft recommends enabling logging to monitor suspicious activity and troubleshoot connection issues:

1. Right-click Windows Defender Firewall (top of tree)
2. Select Properties
3. For each profile tab:
   • Click Customize under Logging
   • Set Log dropped packets to Yes
   • Set Log successful connections to Yes
   • Note log file location
4. Click OK to save

Review logs at: C:\Windows\System32\LogFiles\Firewall\pfirewall.log

Firewall Notification Settings

Control when Windows asks permission:

1. Go to Windows Security > Firewall & network protection
2. Click Firewall notification settings (or Advanced settings)
3. For each network type, configure:
   • Notify me when firewall blocks a new app
   • Block all incoming connections for maximum security
     • WARNING: Blocks even explicitly allowed apps, may break network connectivity, VPN, file sharing, and remote access
     • Use only temporarily in hostile environments

Troubleshooting Common Issues

Event ID 2042 Warnings (Windows 11 24H2)

If you see Event ID 2042 errors in Event Viewer after recent Windows 11 updates:

• This is a known cosmetic logging issue in Windows 11 24H2
• Your firewall is still functioning normally
• Microsoft acknowledges this is not a functional problem
• No action required—it’s just a false warning

Program Can't Connect to Internet

If a legitimate program can’t access the internet:

1. Check if Windows Firewall is blocking it
2. Review firewall logs for blocked connections
3. Create an exception for the program
4. Test with firewall temporarily disabled (to confirm it’s the cause)

Game or App Multiplayer Not Working

Online gaming often requires specific ports to be open:

1. Look up required ports for your game
2. Create inbound rules allowing those ports
3. Only allow on Private network if possible
4. Test connection after applying rules

Remote Access Problems (RDP or VPN)

For remote desktop or VPN connection issues:

1. Verify remote access rules are enabled in firewall
2. Check network profile (should be Private or Domain)
3. Confirm port 3389 (RDP) or VPN ports are open
4. Test from remote location to verify access

Firewall Best Practices

Do’s:

• Keep firewall enabled at all times
• Use Public profile for untrusted networks
• Review allowed apps regularly
• Enable logging to monitor suspicious activity
• Update Windows regularly for firewall improvements
• Only allow necessary apps through firewall

Don’ts:

• Disable firewall to “fix” connection problems (find real cause)
• Allow unknown programs through firewall
• Use same security level for all networks
• Ignore firewall notifications (investigate each one)
• Open ports unnecessarily
• Disable for “better gaming performance” (negligible impact)

Third-Party Firewalls

Windows Firewall is sufficient for most users, but some prefer third-party options:

Pros of third-party firewalls:

• More granular control
• Better user interfaces
• Advanced features (application control, IDS/IPS)
• Network traffic monitoring

Cons:

• Additional cost
• May conflict with Windows Firewall
• Potential performance impact
• Learning curve

My Recommendation: I’m often asked if Windows Firewall is really enough. After years of testing and deploying both Windows Firewall and third-party options, here’s my honest answer: Windows Firewall is excellent for most home users. Only consider third-party solutions if you need specific advanced features or centralized management for multiple PCs.

Testing Your Firewall

Verify your firewall is working:

1. Visit ShieldsUP! at grc.com
2. Click Proceed
3. Click All Service Ports
4. Wait for scan to complete
5. Result should show most/all ports as “Stealth”

Note: Some ports may show “Closed” instead of “Stealth” - both are secure.

When to Reset Firewall

If firewall rules become messy or problematic:

1. Open Windows Defender Firewall
2. Click Restore defaults in left panel
3. Confirm to reset all firewall settings
4. Reconfigure important rules

Warning: This removes all custom rules. Document important rules first.

Conclusion

Properly configured Windows Firewall provides excellent protection against network threats. By following this guide, you’ve secured your PC against most network-based attacks while maintaining functionality for legitimate programs.

Remember to:

• Keep firewall enabled always
• Use appropriate network profiles
• Review allowed apps quarterly
• Monitor firewall logs for suspicious activity
• Update Windows regularly

Related Guides:

• Complete Windows Security Guide
• Privacy Settings Guide for Windows 11 - Control data collection and telemetry
• Disable Unnecessary Windows Services - Reduce attack surface and improve performance
• Windows Defender Setup Guide - Complete antivirus configuration

---

Frequently Asked Questions

What's the difference between Public and Private network profiles?

Private networks are for trusted environments like your home or office. Windows enables network discovery, file sharing, and other features that let devices communicate. This profile is more permissive because you control who’s on the network.

Public networks are for coffee shops, airports, hotels—anywhere with unknown users. Windows blocks file sharing and network discovery, making your PC invisible to others. Most inbound traffic is blocked even if you’ve created allow rules.

Best practice: Always choose Public for networks you don’t control. Yes, it’s less convenient, but I’ve seen too many data breaches happen because someone chose Private at a coffee shop to get file sharing working. The five minutes of inconvenience beats dealing with a compromised system.

Should I turn off Windows Firewall if I have third-party antivirus?

No, you should keep Windows Firewall enabled even with third-party antivirus. Here’s why: antivirus and firewalls serve different purposes. Antivirus scans for malware in files, while firewalls control network traffic.

If your third-party security suite includes its own firewall component, it will automatically manage Windows Firewall settings for compatibility—you don’t need to disable anything manually. If your third-party software only provides antivirus (not firewall), you definitely need Windows Firewall active for network protection.

The Windows Filtering Platform (which underpins the firewall) is required for networking and security policies in Windows, so the firewall service stays running even if you have third-party security software.

Why does Windows Firewall keep blocking my games or apps?

This happens when apps try to accept incoming network connections but don’t have firewall rules configured. Games with multiplayer, torrent clients, and remote access software commonly trigger firewall blocks.

To fix it:

1. Go to Windows Security > Firewall & network protection > Allow an app through firewall
2. Click Change settings, find your app in the list
3. Check Private for home network access
4. Only check Public if you need the app to work on untrusted networks (usually unnecessary for games)

For games, you may also need to create inbound rules for specific ports—check the game’s documentation for required port numbers. The firewall isn’t trying to ruin your gaming experience; it’s blocking suspicious incoming connections until you explicitly allow them.

Will Windows Firewall slow down my internet or gaming performance?

No. Windows Firewall has negligible performance impact on modern hardware. It operates at the network stack level with minimal CPU overhead—we’re talking microseconds of latency that you’ll never notice.

I’ve tested this extensively in gaming environments, and there’s no measurable difference in ping, bandwidth, or FPS between firewall enabled and disabled. If you’re experiencing slow internet or gaming lag, the firewall isn’t the cause—look at your ISP connection, router configuration, or background processes instead.

Disabling your firewall for “better performance” is security theater that exposes you to real network threats for zero actual benefit.

How do I know if Windows Firewall is actually protecting me?

You can test your firewall using online port scanning tools:

1. Visit ShieldsUP! at grc.com
2. Click Proceed, then All Service Ports
3. Wait for the scan to complete
4. Results should show most ports as “Stealth” (invisible) or “Closed” (protected)

If you see many ports showing as “Open,” that indicates potential security issues. Review your firewall rules and remove unnecessary exceptions.

You can also enable firewall logging (covered in this guide) to see what connections Windows Firewall is blocking. Review the log at C:\Windows\System32\LogFiles\Firewall\pfirewall.log to see blocked connection attempts—if you’re online, you’ll likely see dozens of blocked probes daily. That’s your firewall working.

What ports should I block for better security?

If you’re not using specific network services, blocking these common attack vectors improves security:

NetBIOS (legacy protocol, rarely needed): UDP ports 137, 138 and TCP port 139

SMB/CIFS file sharing (if not needed): TCP port 445—but keep this open on Private networks if you use file sharing

Remote Desktop (if not used): TCP port 3389

Telnet (obsolete, insecure): TCP port 23

However, don’t just start blocking random ports. Windows Firewall already blocks incoming connections by default unless you’ve explicitly allowed them. Focus on removing unnecessary “allow” rules rather than creating blocking rules. The guide’s “Recommended Security Rules” section covers this in detail.

Can I use Windows Firewall to block a program from accessing the internet?

Yes, you can create outbound rules to block specific programs:

1. Open Windows Defender Firewall with Advanced Security (press Windows+R, type wf.msc)
2. Click Outbound Rules > New Rule
3. Select Program, browse to the .exe file
4. Choose Block the connection
5. Apply to all profiles (Domain, Private, Public)
6. Name the rule descriptively

This is useful for blocking telemetry, preventing unwanted updates, or stopping programs that shouldn’t access the network. I use this technique to block certain apps from phoning home while still allowing them to function locally.

Note: Some programs are clever and have multiple executables or update mechanisms, so you may need several rules to fully block network access.

Why is my VPN getting blocked by Windows Firewall?

VPN applications frequently trigger Windows Firewall alerts because they modify network routing and create virtual network adapters. This is normal behavior, not a security threat.

To fix VPN blocking:

1. When Windows Firewall shows the security alert for your VPN, click Allow access
2. Or manually allow it: Windows Security > Allow an app through firewall
3. Find your VPN client, check both Private and Public networks
4. Make sure your VPN’s ports are open (common VPN ports: UDP 500, 4500 and TCP 1723)

If your VPN still doesn’t work after allowing it through the firewall, check if “Block all incoming connections” is enabled for Public networks—this setting blocks even explicitly allowed apps and will break VPN functionality. Disable it in Firewall notification settings.

Is Windows Firewall enough, or do I need a third-party firewall?

For most home users, Windows Firewall is absolutely sufficient. I’ve deployed both Windows Firewall and third-party solutions in corporate environments, and here’s my honest assessment: Windows Firewall provides excellent protection for typical home use.

When Windows Firewall is enough:

• You’re a home user with standard security needs
• You don’t need granular per-application outbound control
• You’re comfortable with the Windows interface
• You want integrated protection without additional software

When to consider third-party:

• You need advanced traffic monitoring and analytics
• You want easier-to-use interfaces for complex rules
• You need intrusion detection/prevention features
• You’re managing multiple PCs and want centralized control

Third-party firewalls like ZoneAlarm, Comodo, or GlassWire offer more features but add complexity, cost, and potential conflicts. Start with Windows Firewall properly configured (using this guide), and only explore third-party options if you have specific advanced requirements.

---

Quick Reference

Enable/Disable Firewall: Windows Security > Firewall & network protection

Allow App: Windows Security > Allow an app through firewall

Advanced Rules: Press Windows+R, type wf.msc

View Logs: C:\Windows\System32\LogFiles\Firewall\pfirewall.log

Test Firewall: Visit grc.com/shieldsup

Stay protected and maintain healthy skepticism about programs requesting network access!