Using Windows Firewall
Windows Security is a free suite of software included on Windows PCs which helps protect against viruses, malware, spyware, ransomware, and more.
What's Windows Firewall?
Windows Firewall, or Windows Defender Firewall, is a program in that security suite. It's a necessary security tool that all internet-connected PCs should be using. A firewall allows specific programs and services to connect to the internet while blocking others. This way, you restrict malicious software from accessing the internet and sharing your information. Firewalls can also stop unwanted incoming traffic or network attacks from reaching your PC.
In the real world, a firewall is a fireproof or fire resistant wall between units in large buildings. It prevents fires from spreading from one unit to the next. It doesn't put out the fires, but it contains them or slows them down. A network security firewall does a similar thing - it contains the problem, but does not get rid of the problem. You still need to use antivirus software to remove the threat, or uninstall the malicious program, just as you'd still need to call the fire department to put out a fire in one apartment.
Windows Firewall is simple to use and setup. More advanced rules and options are available for those who need them, though they are a bit more complex to configure.
Enabling Windows Firewall
Unless you are using a different security suite (Norton, McAfee, etc.), Windows Firewall is enabled by default in Windows. If Windows Firewall is disabled, then you will have to manually turn it back on.
To check if it's active, open the start menu and type "Firewall." An option should appear to open "Windows Defender Firewall" in the control panel. This screen will inform you if Windows Firewall is turned on. It will also tell you if another firewall is being used instead of Windows Firewall.
If you need to turn Windows Defender Firewall back on, just click the "Turn Windows Defender Firewall on or off" in the left menu and change the settings for both profiles to "On." Alternatively, just click "Use recommended settings" from the main page of Windows Defender Firewall.
You may also check the firewall status from the Firewall page under the "Windows Security" application.
If you're using another security suite, it's probably fine to continue using their firewall. If you'd rather use Windows Firewall, you must first uninstall or disable the other firewall and restart your PC. Then, navigate to the same "Windows Defender Firewall" option, and turn it back on. You should not run multiple firewalls at once, as that may cause a poor experience across various applications.
When a program requests special network permissions, or Windows is not sure an app is safe, you will receive an alert like the following one:
If you see an alert like this, and you don't recognize the app or it seems suspicious, just click cancel. Consider uninstalling the unknown app and run a full virus scan. If you want to allow the app access, you have an option to either allow it on public or private networks.
You are most likely to see a message like this if you're trying to open ports on your computer, run a server, or let someone into your machine. If you're in a public location, you might not want to allow it. It's typically safe to allow any network activity on private networks, such as your home network, provided you trust the application you're running.
In the example above, I'm trying to run a MySQL database server. For it to work on my local network, the MySQL server needs access to certain ports. That's may be why it asked if I want to allow access. It might have also been triggered because the publisher is unknown, or not registered with Microsoft.
If I was trying to run a test server from a coffee shop, and my database contained important information, I'd probably wouldn't have allowed the access.
Identifying Network Type
By default, Windows will assign the profile of "Public" to new networks until you specify them as private. If you're not sure if your network connection is public or private, you can view this from either the Network Connections page or the main screen of the Windows Defender Firewall settings.
You should leave the profile as Public if you are using a public internet resource, such as a coffee shop, library, hotel, or store's Wi-Fi service.
If set to Private, your PC can discover other devices on the network and other devices can discover it. Private networks are best for when you are at home or work, and want to see the shared network printer, remotely connect to a PC in another room, or share files with other devices over the LAN, for example.
To change the network profile type in Windows 11, go to Start, Settings, Network & Internet, Wi-Fi, "YourNetworkName" Properties
You should see a screen that looks like this. Just change the radio button under profile type to the desired setting.
Manually Blocking Programs
Windows Firewall trusts most well-known programs that don't need special network access by default. For example, the first time you run Google Chrome you probably won't see the security alert - it will just allow it.
Suppose you didn't want to allow Chrome to access the internet. You can achieve this by manually blocking the program.
Note: Do not click on the "Allow an app or feature through Windows Defender Firewall" option. This is a simplified way to do it, and it might work. However, it doesn't show you the full firewall rules, which means you won't know if the correct app is really being blocked or not. I've encountered problems trying to change things from this interface.
- Instead, navigate to the "Advanced Settings" option.
- Next, can create an inbound and/or outbound rule to block a specific application.
- Inbound rules can prevent the program from receiving incoming data.
- Outbound rules can prevent programs from sending data.
- Outbound rules are arguably the more important option, if you're concerned with sensitive data being sent somewhere else unexpectedly.
- Many internet connection applications require both to function. You're probably best off blocking both if your goal is to completely stop the program from connecting to the net.
- Begin by going to "Inbound Rules" and scroll through the list of applications to see if rules already exist for the app you want to block.
- If they already exist, double click the rule and change the setting from Allow to Block, and hit OK.
- More likely, you'll have to create a new rule. If the app's not already in the list, select the "New Rule" option on the right Action's menu.
- On the first page, select "Program" as the rule type, since we're blocking a specific program. Click Next.
- Next, you'll need to select the program's executable file. Click "Browse"
- This is the location where the application is installed on your hard drive
- It should end with a .exe file extension
- In most cases, it will be stored within an application folder under C:/Program Files or C:/Program Files (x86)
- If you don't know where to find it, Google search "install location of Chrome" for example, and try to find it
- Click Next once you've found the right executable file.
- Block the connection and click Next
- Leave all three profiles: Domain, Public, and Private checked, click Next
- Give the rule a Name and click Finish
- You may name it whatever you want. However, I find it's best to include the application name at the beginning, so I can easily find the rule later if I need to change anything.
- Repeat the same process, steps 3 through 10, but now from the "Outbound Rules" section instead of Inbound.
- Test the program. It should not connect to the internet now.
Some applications use multiple executable files. If this is the case, they usually have one main executable. Block this first.
If your goal is to completely block the program, you should also block other executables found in the application's folder, such as launchers, updaters, or other utilities.
If you ever want to allow the program to use the internet again, just go back to the advanced rules you created and disable them or double click them and change the setting from block to allow.
Allowing App Through Firewall
If you accidentally block an application, want to check if an application is blocked, or otherwise need to change any of the previously discussed settings, go to "Advanced Settings" from the Windows Firewall page.
Next, you will need to visually search through the Inbound and Outbound rules sections to find any rules pertaining to the application in question.
Note that this might be annoying. Some rules might not be named exactly the same as their application. It's also possible you'll have to look for things that start with the company's name first. For example, "Google Chrome" instead of just "Chrome."
There is no built in search function. You can sort the rules alphabetically by name by clicking the "Name" column.
Find the rule, and double click it.
Allow the connection, or make the relevant changes, and click OK.
Double check that there are no other rules you need to change. Some applications have multiple entries. Check both the inbound and outbound sections.
Test the application to ensure it's functioning as expected.
If you think Windows Defender Firewall could be a good fit for you, but if you want finer control over what it's doing and more information on your traffic (ports, protocols, IPs, etc.) then check out Windows Firewall Control.
Windows Firewall Control is a program which extends the functionality of Windows Defender Firewall. It makes Windows Defender Firewall behave much more like a premium, paid product. Essentially, this program creates and maintains the advanced firewall rules for you, in a nicer, cleaner interface with more features. You're still using Windows Defender Firewall.
One of my favorite features is that it allows you to search through existing firewall rules by name, a basic feature not included with Microsoft Defender Firewall out of the box.
It supports various levels of filtering and granular control over what gets in and out. For example, you can use strict mode to restrict all traffic, except the programs you explicitly allow. It's supported on every version of Windows from 7 to 11, and it's free.
Below are some screenshots of the program in use. The only thing I don't like about this interface is the banner at the top nudging you to try Malwarebytes Premium, however, that doesn't affect the functionality at all.
Looking For Other Firewalls?
If you're looking for a complete alternative to Windows Defender Firewall, check out Avast One. Their essential bundle is free and includes a firewall.
If you'd like to pay for a security suite, check out all the options discussed in the antivirus comparison guide. Every paid option includes a firewall.