Home/Toolchest

Windows firewall rule audit

A read-only Windows Firewall audit that records enabled allow rules, ports, profiles, and address scopes.

Good For

  • exposure review
  • server hardening
  • migration prep
  • incident scoping
  • policy drift detection

How to Use It

  1. Collect enabled inbound allow rules from the target host or server group.
  2. Join rule evidence with port and address filter details so broad local ports and remote-any scopes are visible.
  3. Compare active allow rules against the application owner, baseline policy, and known management ports.
  4. Flag rules with Any profile, Any remote address, broad port ranges, unknown owners, or stale application names.
  5. Separate discovery from remediation so production dependencies are understood before rule changes.
  6. Export the evidence for security and application owner review.

Execution Modes

  • local
  • remote-single-host
  • remote-host-list

Inputs and Outputs

Inputs

  • computer name
  • CSV or TXT server list
  • approved management port list
  • application owner mapping

Outputs

  • verbose-console
  • csv

Command Starter

Safe to run: read-only

# ---------------------------------------------------------------------
# Windows Firewall exposure starter
# ---------------------------------------------------------------------
$OutputPath = '.\windows-firewall-rule-audit.csv'

$Results = foreach ($Rule in Get-NetFirewallRule -Enabled True -Direction Inbound -Action Allow) {
    # Filter objects are tied to a rule. Query them in context so the report is truly joined.
    $PortFilters = @(Get-NetFirewallPortFilter -AssociatedNetFirewallRule $Rule)
    $AddressFilters = @(Get-NetFirewallAddressFilter -AssociatedNetFirewallRule $Rule)

    foreach ($PortFilter in $PortFilters) {
        foreach ($AddressFilter in $AddressFilters) {
            [pscustomobject]@{
                DisplayName   = $Rule.DisplayName
                Profile       = $Rule.Profile
                Enabled       = $Rule.Enabled
                Direction     = $Rule.Direction
                Action        = $Rule.Action
                Protocol      = $PortFilter.Protocol
                LocalPort     = $PortFilter.LocalPort
                RemotePort    = $PortFilter.RemotePort
                LocalAddress  = $AddressFilter.LocalAddress
                RemoteAddress = $AddressFilter.RemoteAddress
            }
        }
    }
}

$Results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
$Results | Format-Table -AutoSize

Validation

  • Every scoped host has enabled inbound allow rule evidence or an access/error note.
  • Broad or ownerless rules are classified as approved, exception, unknown, or cleanup candidate.
  • Any later firewall change is validated by rerunning the same audit and testing the application path.

Reporting

  • export enabled allow rules with port and address filters to CSV
  • group broad exposure findings by host, profile, port, and owner
  • promote repeated use into a firewall policy drift report

Safety Notes

  • This audit is read-only and should not create, disable, or remove firewall rules.
  • Do not tighten firewall scopes until application dependencies, break-glass access, and rollback are documented.