Security+ Academy · Lesson

Host-Based Firewall and Application Allowlisting

Configure host-based firewalls (Windows Defender Firewall, iptables) and application allowlists that block unauthorized software from executing.

Host-Based vs Network Firewalls

A network firewall sits at the perimeter and filters traffic between network segments. A host-based firewall runs on the individual endpoint and filters traffic to and from that specific machine. Host-based firewalls provide defense-in-depth: even if an attacker bypasses the network firewall (via a VPN, a compromised insider, or lateral movement from another infected host), the host firewall enforces local traffic rules. They are especially important for laptops that travel outside the corporate perimeter and connect to untrusted networks.

Windows Defender Firewall

Windows Defender Firewall (WDF) is the built-in host firewall in all modern Windows versions. It supports three profiles: Domain (connected to corporate domain — typically more permissive), Private (trusted home network), and Public (untrusted networks — most restrictive). WDF rules can filter by port, protocol, application path, remote IP, and user identity. The Windows Defender Firewall with Advanced Security (WFAS) MMC snap-in and Group Policy enable centralized enterprise management of firewall rules across all domain-joined machines.

# Windows: create inbound firewall rule
netsh advfirewall firewall add rule \
  name='Block Telnet' \
  dir=in \
  action=block \
  protocol=TCP \
  localport=23

# PowerShell equivalent
New-NetFirewallRule \
  -DisplayName 'Block Telnet Inbound' \
  -Direction Inbound \
  -Protocol TCP \
  -LocalPort 23 \
  -Action Block

All lessons in this course

Antivirus, EDR, and XDR Platforms
OS Hardening: Patching, Baseline Config, and CIS Benchmarks
Mobile Device Management (MDM) and BYOD Policies
Host-Based Firewall and Application Allowlisting

← Back to Security+ Academy