Is your Windows Firewall actually blocking the right things? A free script to check

Most Windows machines have a firewall. Far fewer have one that's correctly configured — and there's a big difference between the two.

At Prestige Cyber Guard, we help UK businesses achieve and maintain Cyber Essentials certification. Firewalls are one of the five core controls the scheme assesses, and while almost every Windows machine has Windows Firewall installed, the common issues we see aren't about whether it's there — they're about whether it's switched on across every network profile, whether the default behaviour is to block rather than allow, and whether risky ports have been quietly opened by software installed over the years.

This post gives you a free PowerShell script that checks your firewall configuration in under a minute and tells you clearly what needs attention before your assessment.

What Cyber Essentials requires for firewalls

Cyber Essentials has four clear expectations when it comes to firewall protection:

• A firewall must be active on every device — not just at the network boundary

• The default behaviour must be to block inbound connections unless explicitly allowed

• Unnecessary inbound rules must be removed — software often opens ports it no longer needs

• Any remote access services must be disabled unless they are actively required and properly secured

That last point catches a lot of businesses out. Remote Desktop Protocol (RDP) is one of the most commonly exploited entry points for ransomware attacks — and it's frequently left enabled on machines where nobody realised it was on. If RDP is open and not restricted, that's an automatic concern for any Cyber Essentials assessor.

The three firewall profiles Windows uses

Windows maintains three separate firewall profiles, and Cyber Essentials expects all three to be active:

Domain — applies when your device is connected to a corporate network with a domain controller. Used by most business environments with Active Directory.

Private — applies when connected to a trusted network, such as your office Wi-Fi or home network.

Public — applies when connected to untrusted networks like coffee shop Wi-Fi, hotel internet, or any network marked as public. This is the most important one to have locked down tightly.

A common misconfiguration is having the Domain and Private profiles enabled but the Public profile disabled or permissive — leaving laptops completely exposed when staff work remotely.

The script: check your firewall in under a minute

Our free PowerShell script runs five checks automatically and gives you a clear PASS, WARN, or FAIL on each one — with plain-English instructions on what to fix if something isn't right.

How to run it (no technical experience needed)

1. Press the Windows key on your keyboard

2. Type PowerShell

3. Right-click on "Windows PowerShell" in the results

4. Click "Run as administrator"

5. Click "Yes" if a blue permission box appears

6. Paste this line and press Enter:

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

7. Then paste the full script and press Enter

Note: This command is temporary. It only affects the current PowerShell window and resets the moment you close it. No permanent changes are made to your machine.

The script

Write-Host ""
Write-Host "=====================================================" -ForegroundColor Cyan
Write-Host "  CYBER ESSENTIALS - FIREWALL CHECK" -ForegroundColor Cyan
Write-Host "=====================================================" -ForegroundColor Cyan
Write-Host ""

# CHECK 1: Firewall enabled on all profiles
Write-Host "CHECK 1: Windows Firewall profiles..." -ForegroundColor White
$profiles = Get-NetFirewallProfile
foreach ($profile in $profiles) {
    if ($profile.Enabled) {
        Write-Host "  [PASS] $($profile.Name) profile: Firewall ON" -ForegroundColor Green
    } else {
        Write-Host "  [FAIL] $($profile.Name) profile: Firewall OFF" -ForegroundColor Red
        Write-Host "         Action: Windows Security > Firewall & network protection > Turn on" -ForegroundColor Yellow
    }
}

Write-Host ""

# CHECK 2: Default inbound action
Write-Host "CHECK 2: Default inbound connection policy..." -ForegroundColor White
foreach ($profile in $profiles) {
    if ($profile.DefaultInboundAction -eq "Block") {
        Write-Host "  [PASS] $($profile.Name): Default inbound is BLOCK" -ForegroundColor Green
    } else {
        Write-Host "  [FAIL] $($profile.Name): Default inbound is ALLOW - change to Block" -ForegroundColor Red
    }
}

Write-Host ""

# CHECK 3: Risky inbound rules
Write-Host "CHECK 3: Risky inbound firewall rules..." -ForegroundColor White
$riskyPorts = @(23,3389,5900,21,445,135,139)
$riskyNames = @{23="Telnet";3389="RDP";5900="VNC";21="FTP";445="SMB";135="RPC";139="NetBIOS"}
$rules = Get-NetFirewallRule -Direction Inbound -Action Allow -Enabled True
$found = $false
foreach ($rule in $rules) {
    $pf = $rule | Get-NetFirewallPortFilter -ErrorAction SilentlyContinue
    if ($pf -and $pf.LocalPort -ne "Any") {
        foreach ($port in ($pf.LocalPort -split ",")) {
            $p = [int]($port.Trim()) 2>$null
            if ($riskyPorts -contains $p) {
                Write-Host "  [WARN] Port $p open ($($riskyNames[$p])) - Rule: $($rule.DisplayName)" -ForegroundColor Yellow
                $found = $true
            }
        }
    }
}
if (-not $found) { Write-Host "  [PASS] No obviously risky inbound rules detected" -ForegroundColor Green }

Write-Host ""

# CHECK 4: Remote Desktop
Write-Host "CHECK 4: Remote Desktop (RDP) status..." -ForegroundColor White
$rdp = Get-ItemProperty "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections
if ($rdp.fDenyTSConnections -eq 1) {
    Write-Host "  [PASS] Remote Desktop is disabled" -ForegroundColor Green
} else {
    Write-Host "  [WARN] Remote Desktop is ENABLED - disable if not required" -ForegroundColor Yellow
    Write-Host "         Action: Settings > System > Remote Desktop > Turn off" -ForegroundColor Yellow
}

Write-Host ""
Write-Host "  Need help? Contact Prestige Cyber Guard:" -ForegroundColor White
Write-Host "  hello@prestigecyberguard.co.uk" -ForegroundColor Cyan
Write-Host ""

What the results mean

[PASS] — that check meets the Cyber Essentials requirement. No action needed.

[WARN] — something needs reviewing before your assessment. Not necessarily a block on certification, but a risk worth addressing — and something an assessor is likely to question.

[FAIL] — this is a direct Cyber Essentials gap. It must be fixed before you can achieve or renew certification. Every fail in the script comes with a plain-English instruction so you know exactly what to do.

A note on RDP and remote access

If the script flags that Remote Desktop is enabled, don't panic — but do take it seriously. RDP on port 3389 is one of the most scanned ports on the internet, and attackers actively hunt for machines with it exposed. If you genuinely need remote access to your machines, the secure approach is to either restrict RDP to specific IP addresses and require multi-factor authentication, or use a purpose-built remote access tool with proper access controls.

If you're not sure whether RDP is being used on your network, turning it off is the safest default — and it removes one of the most common attack vectors overnight.

This is part of a bigger picture

Firewalls are one of the five Cyber Essentials controls. We've now published free scripts for four of them:

• ✅ User Access Control — Are your accounts running with more privilege than they need?

• ✅ Malware Protection — Is Windows Defender actually protecting you?

• ✅ Security Update Management — When did your Windows machine last update?

• ✅ Firewall — This post

• 🔜 Secure Configuration — Coming soon

All scripts are free, require no technical experience to run, and are available on our GitHub.

Ready to work towards certification?

Running these scripts is a great starting point, but achieving Cyber Essentials certification means evidencing all five controls across your entire organisation — not just one machine at a time.

At Prestige Cyber Guard, our Cyber Essentials support service takes you from initial gap assessment through to certification. We identify what needs fixing, help you fix it, and guide you through the submission process.

Get in touch today: 📧 hello@prestigecyberguard.co.uk 🌐 www.prestigecyberguard.co.uk

Cyber Essentials is a UK government-backed scheme managed by IASME on behalf of the National Cyber Security Centre (NCSC). Holding certification demonstrates that your organisation has the fundamental controls in place to protect against the most common cyber threats.