Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
Domain Controller Firewall
Data collected on: 5/19/2024 5:19:09 PM
General
Details
Domaincontoso.com
Ownercontoso\Domain Admins
Created3/6/2024 3:04:04 PM
Modified5/19/2024 5:17:24 PM
User Revisions0 (AD), 0 (SYSVOL)
Computer Revisions495 (AD), 495 (SYSVOL)
Unique ID{37CB7204-5767-4AA7-8E85-D29FEBDFF6D6}
GPO StatusUser settings disabled
Links
LocationEnforcedLink StatusPath
Domain ControllersNoEnabledcontoso.com/Domain Controllers

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
contoso\Domain AdminsEdit settings, delete, modify securityNo
contoso\Enterprise AdminsEdit settings, delete, modify securityNo
NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Scripts
Startup
For this GPO, Script order: Not configured
NameParameters
FirewallConfiguration.bat
Security Settings
Windows Firewall with Advanced Security
Global Settings
PolicySetting
Policy version2.31
Disable stateful FTPNot Configured
Disable stateful PPTPNot Configured
IPsec exemptNot Configured
IPsec through NATNot Configured
Preshared key encodingNot Configured
SA idle timeNot Configured
Strong CRL checkNot Configured
Domain Profile Settings
PolicySetting
Firewall stateOn
Inbound connectionsBlock
Outbound connectionsAllow
Apply local firewall rulesNo
Apply local connection security rulesNo
Display notificationsNo
Allow unicast responsesNo
Log dropped packetsYes
Log successful connectionsNo
Log file path%systemroot%\system32\logfiles\firewall\pfirewall.log
Log file maximum size (KB)128
Private Profile Settings
PolicySetting
Firewall stateOn
Inbound connectionsBlock
Outbound connectionsAllow
Apply local firewall rulesNo
Apply local connection security rulesNo
Display notificationsNo
Allow unicast responsesNo
Log dropped packetsYes
Log successful connectionsNo
Log file path%systemroot%\system32\logfiles\firewall\pfirewall.log
Log file maximum size (KB)128
Public Profile Settings
PolicySetting
Firewall stateOn
Inbound connectionsBlock
Outbound connectionsAllow
Apply local firewall rulesNo
Apply local connection security rulesNo
Display notificationsNo
Allow unicast responsesNo
Log dropped packetsYes
Log successful connectionsNo
Log file path%systemroot%\system32\logfiles\firewall\pfirewall.log
Log file maximum size (KB)128
Inbound Rules
NameDescription
Active Directory Domain Controller - W32Time (NTP-UDP-In)Inbound rule for the Active Directory Domain Controller service to allow NTP traffic for the Windows Time service. [UDP 123]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\svchost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port123
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
Servicew32time
Allow edge traversalFalse
GroupActive Directory Domain Services
Active Directory Domain Controller (RPC-EPMAP)Inbound rule for the RPCSS service to allow RPC/TCP traffic to the Active Directory Domain Controller service.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\system32\svchost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portRPC endpoint mapping
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
Servicerpcss
Allow edge traversalFalse
GroupActive Directory Domain Services
Kerberos Key Distribution Center - PCR (UDP-In)Inbound rule for the Kerberos Key Distribution Center service to allow for password change requests. [UDP 464]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port464
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupKerberos Key Distribution Center
Kerberos Key Distribution Center - PCR (TCP-In)Inbound rule for the Kerberos Key Distribution Center service to allow for password change requests. [TCP 464]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port464
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupKerberos Key Distribution Center
Active Directory Domain Controller (RPC)Inbound rule to allow remote RPC/TCP access to the Active Directory Domain Controller service.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
Active Directory Domain Controller - LDAP (UDP-In)Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. [UDP 389]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port389
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
Active Directory Domain Controller - LDAP (TCP-In)Inbound rule for the Active Directory Domain Controller service to allow remote LDAP traffic. [TCP 389]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port389
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
Active Directory Domain Controller - Secure LDAP (TCP-In)Inbound rule for the Active Directory Domain Controller service to allow remote Secure LDAP traffic. [TCP 636]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port636
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
Active Directory Domain Controller - LDAP for Global Catalog (TCP-In)Inbound rule for the Active Directory Domain Controller service to allow remote Global Catalog traffic. [TCP 3268]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port3268
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
Active Directory Domain Controller - Secure LDAP for Global Catalog (TCP-In)Inbound rule for the Active Directory Domain Controller service to allow remote Secure Global Catalog traffic. [TCP 3269]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port3269
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
DNS (UDP, Incoming)Inbound rule to allow remote UDP access to the DNS service.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\dns.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port53
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scopeAny
ProfileAll
Network interface typeAll
Servicedns
Allow edge traversalFalse
GroupDNS Service
DNS (TCP, Incoming)Inbound rule to allow remote TCP access to the DNS service.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\dns.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port53
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scopeAny
ProfileAll
Network interface typeAll
Servicedns
Allow edge traversalFalse
GroupDNS Service
File Replication (RPC)Inbound rule to allow File Replication RPC traffic.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledFalse
Program%SystemRoot%\system32\NTFRS.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceNTFRS
Allow edge traversalFalse
GroupFile Replication
Kerberos Key Distribution Center (TCP-In)Inbound rule for the Kerberos Key Distribution Center service. [TCP 88]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port88
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupKerberos Key Distribution Center
Kerberos Key Distribution Center (UDP-In)Inbound rule for the Kerberos Key Distribution Center service. [UDP 88]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\lsass.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port88
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupKerberos Key Distribution Center
Active Directory Domain Controller - SAM/LSA (NP-UDP-In)Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. [UDP 445]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port445
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
Active Directory Domain Controller - SAM/LSA (NP-TCP-In)Inbound rule for the Active Directory Domain Controller service to be remotely managed over Named Pipes. [TCP 445]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port445
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
DFS Replication (RPC-In)Inbound rule to allow DFS Replication RPC traffic.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%SystemRoot%\system32\dfsrs.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceDfsr
Allow edge traversalFalse
GroupDFS Replication
Active Directory Domain Controller - Echo Request (ICMPv4-In)Inbound rule for the Active Directory Domain Controller service to allow Echo requests (ping).
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol1
Local portAny
Remote portAny
ICMP settingstype 8:code any
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
Active Directory Domain Controller - Echo Request (ICMPv6-In)Inbound rule for the Active Directory Domain Controller service to allow Echo requests (ping).
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol58
Local portAny
Remote portAny
ICMP settingstype 128:code any
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
Active Directory Domain Controller - NetBIOS name resolution (UDP-In)Inbound rule for the Active Directory Domain Controller service to allow NetBIOS name resolution. [UDP 138]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledFalse
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port138
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupActive Directory Domain Services
File and Printer Sharing (NB-Name-In)Inbound rule for File and Printer Sharing to allow NetBIOS Name Resolution. [UDP 137]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledFalse
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port137
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupFile and Printer Sharing
File and Printer Sharing (NB-Session-In)Inbound rule for File and Printer Sharing to allow NetBIOS Session Service connections. [TCP 139]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledFalse
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port139
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupFile and Printer Sharing
Windows Internet Naming Service (WINS) (UDP-In)Inbound rule for the Windows Internet Naming Service to allow WINS requests. [UDP 42]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledFalse
Program%SystemRoot%\System32\wins.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port42
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceWINS
Allow edge traversalFalse
GroupWindows Internet Naming Service (WINS)
Windows Internet Naming Service (WINS) (TCP-In)Inbound rule for the Windows Internet Naming Service to allow WINS requests. [TCP 42]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledFalse
Program%SystemRoot%\System32\wins.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port42
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.2.0/255.255.255.0, 10.220.3.0/255.255.255.0, 10.220.4.0/255.255.255.0, 10.220.5.0/255.255.255.0, 10.220.6.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceWINS
Allow edge traversalFalse
GroupWindows Internet Naming Service (WINS)
Windows Internet Naming Service (WINS) - Remote Management (RPC)Inbound rule for the Windows Internet Naming Service to allow remote management via RPC/TCP.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledFalse
Program%SystemRoot%\System32\wins.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceWINS
Allow edge traversalFalse
GroupWindows Internet Naming Service (WINS) - Remote Management
Core Networking - Destination Unreachable (ICMPv6-In)Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol58
Local portAny
Remote portAny
ICMP settingstype 1:code any
Local scopeAny
Remote scopeAny
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupCore Networking
Core Networking - Destination Unreachable Fragmentation Needed (ICMPv4-In)Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don't fragment bit was set.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol1
Local portAny
Remote portAny
ICMP settingstype 3:code 4
Local scopeAny
Remote scopeAny
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupCore Networking
Core Networking - Neighbor Discovery Advertisement (ICMPv6-In)Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol58
Local portAny
Remote portAny
ICMP settingstype 136:code any
Local scopeAny
Remote scopeAny
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupCore Networking
Core Networking - Neighbor Discovery Solicitation (ICMPv6-In)Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol58
Local portAny
Remote portAny
ICMP settingstype 135:code any
Local scopeAny
Remote scopeAny
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupCore Networking
Core Networking - Packet Too Big (ICMPv6-In)Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol58
Local portAny
Remote portAny
ICMP settingstype 2:code any
Local scopeAny
Remote scopeAny
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupCore Networking
Core Networking - Parameter Problem (ICMPv6-In)Parameter Problem error messages are sent by nodes as a result of incorrectly generated packets.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol58
Local portAny
Remote portAny
ICMP settingstype 4:code any
Local scopeAny
Remote scopeAny
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupCore Networking
Core Networking - Time Exceeded (ICMPv6-In)Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol58
Local portAny
Remote portAny
ICMP settingstype 3:code any
Local scopeAny
Remote scopeAny
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupCore Networking
Active Directory Web Services (TCP-In)Inbound rule for the Active Directory Web Services. [TCP]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\ADWS\Microsoft.ActiveDirectory.WebServices.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port9389
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
Serviceadws
Allow edge traversalFalse
GroupActive Directory Web Services
Windows Remote Management (HTTP-In)Inbound rule for Windows Remote Management via WS-Management. [TCP 5985]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port5985
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupWindows Remote Management
Windows Remote Management (HTTPS-In)Inbound rule for Windows Remote Management via WS-Management. [TCP 5986]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
ProgramSystem
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port5986
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupWindows Remote Management
Windows Management Instrumentation (WMI-In)Inbound rule to allow WMI traffic for remote Windows Management Instrumentation. [TCP]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%SystemRoot%\system32\svchost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portAny
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
Servicewinmgmt
Allow edge traversalFalse
GroupWindows Management Instrumentation (WMI)
Remote Desktop - User Mode (UDP-In)Inbound rule for the Remote Desktop service to allow RDP traffic. [UDP 3389]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%SystemRoot%\system32\svchost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol17
Local port3389
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
Servicetermservice
Allow edge traversalFalse
GroupRemote Desktop
Remote Desktop - User Mode (TCP-In)Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%SystemRoot%\system32\svchost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port3389
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
Servicetermservice
Allow edge traversalFalse
GroupRemote Desktop
DFS Management (TCP-In)Inbound rule for DFS Management to allow the DFS Management service to be remotely managed via DCOM.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\system32\dfsfrsHost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupDFS Management
RPC (TCP, Incoming)Inbound rule to allow remote RPC/TCP access to the DNS service.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\System32\dns.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
Servicedns
Allow edge traversalFalse
GroupDNS Service
Windows Backup (RPC)Inbound rule for the Windows Backup Service to be remotely managed via RPC/TCP
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\system32\wbengine.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
Servicewbengine
Allow edge traversalFalse
GroupWindows Backup
Performance Logs and Alerts (TCP-In)Inbound rule for Performance Logs and Alerts traffic. [TCP-In]
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\system32\plasrv.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portAny
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupPerformance Logs and Alerts
Remote Event Log Management (RPC)Inbound rule for the local Event Log service to be remotely managed via RPC/TCP.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%SystemRoot%\system32\svchost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceEventlog
Allow edge traversalFalse
GroupRemote Event Log Management
Remote Scheduled Tasks Management (RPC)Inbound rule for the Task Scheduler service to be remotely managed via RPC/TCP.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%SystemRoot%\system32\svchost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
Serviceschedule
Allow edge traversalFalse
GroupRemote Scheduled Tasks Management
Remote Service Management (RPC)Inbound rule for the local Service Control Manager to be remotely managed via RPC/TCP.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%SystemRoot%\system32\services.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupRemote Service Management
COM+ Remote Administration (DCOM-In)Inbound rule to allow DCOM traffic to the COM+ System Application for remote administration.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%systemroot%\system32\dllhost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceCOMSysApp
Allow edge traversalFalse
GroupCOM+ Remote Administration
Windows Defender Firewall Remote Management (RPC)Inbound rule for the Windows Defender Firewall to be remotely managed via RPC/TCP.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledFalse
Program%SystemRoot%\system32\svchost.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
Servicepolicyagent
Allow edge traversalFalse
GroupWindows Defender Firewall Remote Management
Remote Volume Management - Virtual Disk Service (RPC)Inbound rule for the Remote Volume Management - Virtual Disk Service to be remotely managed via RPC/TCP.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%SystemRoot%\system32\vds.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
Servicevds
Allow edge traversalFalse
GroupRemote Volume Management
Remote Volume Management - Virtual Disk Service Loader (RPC)Inbound rule for the Remote Volume Management - Virtual Disk Service Loader to be remotely managed via RPC/TCP.
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledTrue
Program%SystemRoot%\system32\vdsldr.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local portDynamic RPC
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.1.0/255.255.255.0, 10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupRemote Volume Management
OpenSSH SSH Server (sshd)Inbound rule for OpenSSH SSH Server (sshd)
This rule might contain some elements that cannot be interpreted by the current version of GPMC reporting module
EnabledFalse
Program%SystemRoot%\system32\OpenSSH\sshd.exe
ActionAllow
SecurityRequire authentication
Authorized computers
Authorized users
Protocol6
Local port22
Remote portAny
ICMP settingsAny
Local scopeAny
Remote scope10.220.3.0/255.255.255.0
ProfileAll
Network interface typeAll
ServiceAll programs and services
Allow edge traversalFalse
GroupOpenSSH Server
Connection Security Settings
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
MS Security Guide
PolicySettingComment
NetBT NodeType configurationEnabled
Configure NetBT NodeTypeP-node (recommended)
MSS (Legacy)
PolicySettingComment
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingIPv6Highest protection, source routing is completely disabled
PolicySettingComment
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingHighest protection, source routing is completely disabled
PolicySettingComment
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routesDisabled
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversEnabled
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)Disabled
Network/DNS Client
PolicySettingComment
Configure NetBIOS settingsEnabled
Configure NetBIOS options:Disable NetBIOS name resolution
PolicySettingComment
Turn off Multicast DNS (mDNS) clientEnabled
Turn off multicast name resolutionEnabled
Network/Network Connections/Windows Defender Firewall/Domain Profile
PolicySettingComment
Windows Defender Firewall: Allow loggingEnabled
Log dropped packetsEnabled
Log successful connectionsDisabled
Log file path and name:%systemroot%\system32\logfiles\firewall\pfirewall.log
Size limit (KB):128
PolicySettingComment
Windows Defender Firewall: Do not allow exceptionsDisabled
Windows Defender Firewall: Prohibit notificationsEnabled
Windows Defender Firewall: Prohibit unicast response to multicast or broadcast requestsEnabled
Windows Defender Firewall: Protect all network connectionsEnabled
RPC Static Ports
PolicySettingComment
Domain Controller: Active Directory RPC static portEnabled
Static port number:38901
PolicySettingComment
Domain Controller: File Replication Service (FRS) static portEnabled
Static port number:38903
PolicySettingComment
Domain Controller: Netlogon static portEnabled
Static port number:38902
Windows Components/Application Compatibility
PolicySettingComment
Turn off Application TelemetryEnabled
Windows Components/Data Collection and Preview Builds
PolicySettingComment
Allow Diagnostic DataEnabled
Diagnostic data off (not recommended)
Windows Components/Delivery Optimization
PolicySettingComment
Download ModeEnabled
Download Mode:Simple (99)
Windows Components/Microsoft Defender Antivirus/Microsoft Defender Exploit Guard/Attack Surface Reduction
PolicySettingComment
Configure Attack Surface Reduction rulesEnabled
Set the state for each ASR rule: 
d1e49aac-8f56-4280-b9ba-993a6d77406c1
e6db77e5-3df2-4cf1-b95a-636979351e5b1
Windows Components/Microsoft Defender Antivirus/Microsoft Defender Exploit Guard/Network Protection
PolicySettingComment
Prevent users and apps from accessing dangerous websitesEnabled
 
PolicySettingComment
This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.Enabled
User Configuration (Disabled)
No settings defined.