How many times have I seen “unauthorized access” turn out to be a lack of basic perimeter control? Far too many. If your Windows Servers aren’t running their built-in firewall, you’re not just leaving a door open; you’re removing the door frame entirely.
This isn’t just about blocking external threats. It’s about containing lateral movement once an attacker is inside. Domain, Private, Public profiles – each needs to be active. I’ve seen environments where the Public profile was enabled, but Domain was left off because “it’s an internal network.” That’s a critical oversight.
You need to ensure all profiles are enabled. This is fundamental network segmentation at the host level. It’s basic, but it’s still missed in far too many organizations I audit.
Here’s the command to get it done:
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True Get-NetFirewallProfile | Select Name, Enabled
Don’t assume. Verify. Enable the firewall on every profile.
The fix
# PowerShell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Verify
Get-NetFirewallProfile | Select Name, Enabled
Reference: CIS Windows Server Benchmark 9.1