Working with Windows Firewall... blocking internet for certain user and only allowing LAN Access

B

btesoroni

New Member
Joined
May 3, 2018
Messages
1
Hello everyone,

I'm trying to create a few rules in a Windows 2012 Firewall. It's currently joined to a domain and would like the following rules:

Allow all internet and LAN access for the security group "admin"
block 80, 443, 8443 only for the internet for the security group "user"
allow all LAN access including 80, 443, and 8443 for the security group "user"

I can't find a way to get this to work with the Windows firewall... Could someone please help me?

Thank you!
Brian
 
Solution
The problem with Windows firewall is that there is no order to the rule processing, so you need to make sure you don't have a conflicting rule that could be triggered. So you'll need to remove any http,https rules that exist that would allow the outbound traffic

You may want to change the default outbound rule to block instead of allow.

For the admin group you'll need to create a few rules.
  • They will all be Custom rule types
  • Programs should be all.
  • You'll need a rule for TCP and UDP (seperate rules with the remote ports specified 80,443 and 8443), local should be all
  • Scope would be any any
  • Action Allow if secure > allow the connection to use null encapsulation
  • Computers > Only allow connections to these...
Sort by date Sort by votes
The problem with Windows firewall is that there is no order to the rule processing, so you need to make sure you don't have a conflicting rule that could be triggered. So you'll need to remove any http,https rules that exist that would allow the outbound traffic

You may want to change the default outbound rule to block instead of allow.

For the admin group you'll need to create a few rules.
  • They will all be Custom rule types
  • Programs should be all.
  • You'll need a rule for TCP and UDP (seperate rules with the remote ports specified 80,443 and 8443), local should be all
  • Scope would be any any
  • Action Allow if secure > allow the connection to use null encapsulation
  • Computers > Only allow connections to these computers (kind of confusing add the domain group here)
  • Profile will be whatever firewall profile you're using

The users rule will be pretty similar but under scope
Set the remote IP addresses to include only your LAN IP ranges you can use CIDR notation here.
 
Upvote 1 Downvote
Solution
You must log in or register to reply here.

Similar threads

  • Article Article
Create an Always-On VPN: Auto-Connect on Wi‑Fi + Kill Switch with Windows Firewall (Win10/11)
Replies
0
Views
184
ChatGPT