Ever tried to block a single port on a Windows Defender Firewall and felt like you were pulling teeth?
In a lot of training labs—especially the ones tagged Simulation Lab 11.Plus, you’re not alone. 2—the “Block Ports” task looks simple on paper, but the steps can feel like a maze Simple, but easy to overlook. Simple as that..
I’ve been through that lab a dozen times, tripping over the same tiny UI quirks and missing a checkbox that makes the whole thing fail. Now, the good news? Once you crack the pattern, the rest of the modules fall into place like dominoes. Below is the full, no‑fluff walk‑through for Module 11 Block Ports – Defender Firewall, plus the pitfalls most people overlook.
What Is Simulation Lab 11.2: Module 11 Block Ports – Defender Firewall?
In plain English, this lab is a hands‑on exercise that forces you to use the built‑in Windows Defender Firewall to stop traffic on a specific TCP or UDP port Most people skip this — try not to. Less friction, more output..
It’s part of a larger series (Lab 11) that teaches you how to harden a Windows workstation or server using native security tools. The “block ports” piece is the first real‑world test: you’ll create an inbound rule that drops traffic, then verify the block with a simple network utility.
Think of it as a sandbox version of what a real sysadmin does when a service is misbehaving or a vulnerability is discovered. Instead of writing PowerShell scripts or editing Group Policy Objects, you’re clicking through the GUI—exactly what the exam expects you to know Worth keeping that in mind..
The Core Components
- Windows Defender Firewall with Advanced Security – the MMC snap‑in where you define inbound/outbound rules.
- Port numbers – the lab typically asks you to block TCP 135 (the RPC endpoint mapper) or UDP 137 (NetBIOS name service).
- Scope settings – you’ll decide whether the rule applies to all IPs or just a subset.
- Profiles – Domain, Private, and Public. The lab usually wants you to hit all three.
If you’ve never opened the firewall console before, you’ll find it under Control Panel → System and Security → Windows Defender Firewall → Advanced Settings.
Why It Matters / Why People Care
Blocking ports isn’t just an academic exercise; it’s a frontline defense And that's really what it comes down to..
A single open port can be a backdoor for ransomware, a foothold for lateral movement, or a way for an attacker to enumerate services. In the real world, compliance frameworks (PCI‑DSS, HIPAA, NIST) often require you to document which ports are open and why That's the part that actually makes a difference..
In practice, the “Block Ports” lab teaches you three things that matter beyond the classroom:
- Visibility – You learn to see exactly what traffic the firewall is filtering.
- Precision – You get comfortable specifying protocol, port number, and scope without breaking other services.
- Verification – You practice confirming that a rule actually works, a step many admins skip and later regret.
Skip this step and you’ll be the person who forgets to close a known vulnerable port after a patch—something that’s happened to more than a few IT departments That's the whole idea..
How It Works (Step‑by‑Step)
Below is the exact sequence that gets the job done, plus a few shortcuts that save you time.
1. Open the Advanced Firewall Snap‑in
- Press Win + R, type
wf.msc, hit Enter. - The left pane shows Inbound Rules, Outbound Rules, Connection Security Rules, and Monitoring.
2. Create a New Inbound Rule
- Right‑click Inbound Rules → New Rule….
- In the wizard, select Port and click Next.
3. Choose Protocol and Port
- Pick TCP (or UDP if the lab specifies).
- Under Specific local ports, type the number the lab asks for, e.g.,
135. - Click Next.
4. Set the Action to Block
- Choose Block the connection.
- Don’t select “Allow the connection” by accident—that’s the most common slip‑up.
- Click Next.
5. Apply to All Profiles
- Check Domain, Private, and Public.
- If you only tick one, the rule will be ignored on the other network types, and the lab’s verification step will fail.
- Click Next.
6. Name and Describe the Rule
- Give it a clear name, like Block TCP 135 – Lab 11.2.
- Add a description: “Blocks inbound RPC traffic for Simulation Lab 11.2.”
- Click Finish.
7. Verify the Rule Is Active
- Find your new rule in the list, ensure the Enabled column shows a green check.
- If it’s gray, right‑click → Enable Rule.
8. Test the Block
Open a command prompt on the same machine (or a remote one if the lab provides a second host) and run:
telnet localhost 135
or, for UDP:
nc -vz -u localhost 137
You should see a timeout or connection refused message. If you get a successful connection, double‑check the profile selection and protocol.
9. Document the Change
Most labs ask you to take a screenshot of the rule and the test output. Save it in the lab’s shared folder with the naming convention Lab11_BlockPorts.png The details matter here..
Common Mistakes / What Most People Get Wrong
Mistake #1 – Forgetting the Profile Box
I’ve seen dozens of screenshots where the rule looks perfect, but the Public profile is unchecked. The lab’s verification machine is on a “Public” network, so the rule never fires. Always tick all three Not complicated — just consistent. Simple as that..
Mistake #2 – Using “Allow the Connection” Instead of “Block”
The wizard’s default selection is “Allow the connection”. It’s easy to breeze through the steps and only notice the mistake when the telnet test succeeds. Take a second to double‑check the Action screen But it adds up..
Mistake #3 – Mixing TCP and UDP
If the lab says “Block UDP 137” and you pick TCP, the rule will sit there doing nothing. The protocol dropdown is right at the top of the Port screen—don’t skim it.
Mistake #4 – Not Enabling the Rule
Sometimes the rule is created but stays disabled because the wizard was interrupted. A disabled rule shows a gray icon; a quick right‑click → Enable Rule fixes it.
Mistake #5 – Overlooking Scope
A few labs ask you to limit the block to a specific IP range. Even so, if you leave the Scope set to “Any IP address”, the rule will be broader than required, and the lab grader may mark you down for “excessive restriction”. Adjust the Remote IP address field only when instructed.
Practical Tips – What Actually Works
-
Use the “Show/Hide” button in the rule list to see the Enabled column. It’s a quick visual cue that your rule isn’t sleeping Most people skip this — try not to..
-
Copy an existing rule if you need to block several ports. Right‑click a similar rule → Copy, then edit the port number. Saves a few clicks Surprisingly effective..
-
PowerShell shortcut – If you’re comfortable with the command line, this one‑liner creates the same rule:
New-NetFirewallRule -DisplayName "Block TCP 135 – Lab 11.2" -Direction Inbound -Protocol TCP -LocalPort 135 -Action Block -Profile AnyIt’s faster and eliminates the UI pitfalls, but the lab often wants you to prove you can figure out the GUI.
-
Take a screenshot before you test. If the test fails, you have proof you followed the steps correctly; you can focus on troubleshooting rather than re‑doing the whole rule.
-
Keep a cheat sheet of the most common port numbers you’ll block in the course (135, 137, 139, 445). It’s faster than hunting them up each time Turns out it matters..
FAQ
Q1: Can I block a range of ports instead of a single one?
A: Yes. In the Specific local ports box, enter a range like 5000-5010. The rule will block every port in that span Which is the point..
Q2: What if telnet isn’t installed on the lab machine?
A: Use PowerShell’s Test-NetConnection cmdlet:
Test-NetConnection -ComputerName localhost -Port 135
A “TcpTestSucceeded : False” line means the block is working.
Q3: Do I need to restart the firewall after creating the rule?
A: No. Changes take effect immediately. If you don’t see the block, double‑check the rule’s Enabled state and profile.
Q4: How do I remove the rule after the lab is done?
A: Right‑click the rule in the list → Delete. Confirm, and the firewall reverts to its prior state.
Q5: Will blocking a port break other services on the same machine?
A: Potentially. Always verify that critical services (e.g., Remote Desktop on 3389) are still reachable if you’re working on a production system. In the lab, only the specified port is in use, so you’re safe.
That’s the whole picture for Simulation Lab 11.Still, 2: Module 11 Block Ports – Defender Firewall. You now have the exact steps, the common traps, and a few shortcuts to speed you through.
Give it a run, take that screenshot, and move on to the next module with confidence. That said, after all, mastering the firewall UI is the foundation for every later security task you’ll face. Happy labbing!
Troubleshooting Checklist (When the Test Still Shows “Open”)
| Symptom | Likely Cause | Quick Fix |
|---|---|---|
| Test‑NetConnection reports TcpTestSucceeded : True | The rule is scoped to the wrong profile (Domain vs. | |
| Port still reachable from another machine | The rule is Inbound only and you’re testing from a remote host. Consider this: | Re‑open the rule, click Apply, then OK. Here's the thing — |
| Rule appears in the list but is greyed out | The rule is Disabled. | |
| Rule not listed after you click “OK” | You edited an existing rule but never clicked Apply before OK. On top of that, | Add a matching Outbound block, or create a Both direction rule. Public). Private vs. |
| Firewall service is stopped | The Windows Defender Firewall service (MpsSvc) is not running. Now, | Run net start MpsSvc from an elevated command prompt, then re‑run the test. |
This is the bit that actually matters in practice.
Advanced Tip: Using “Edge Traversal” Wisely
When you create a rule that blocks a port, Windows Defender Firewall automatically blocks traffic that attempts to cross a NAT gateway (edge traversal). In most lab scenarios you won’t need to touch this setting, but if you ever notice a port still open on a VPN‑connected VM, do the following:
- Open the rule’s Properties → Advanced tab.
- Uncheck Allow edge traversal.
- Click OK.
This forces the firewall to enforce the block even on traffic that tries to “tunnel” around the local stack, a handy trick for more advanced networking labs Worth keeping that in mind..
Script‑Based Verification (Optional)
If you prefer a repeatable, automated check (useful for grading scripts or personal labs), drop the following PowerShell snippet into a .ps1 file and run it after you create the rule:
$port = 135
$target = 'localhost'
# Run the test twice – once with the firewall on, once after temporarily disabling it
Write-Host "Testing with firewall rule in place..."
Test-NetConnection -ComputerName $target -Port $port | Select-Object -ExpandProperty TcpTestSucceeded
Write-Host "Temporarily disabling firewall for comparison..."
Set-NetFirewallProfile -All -Enabled False
Start-Sleep -Seconds 2 # give the stack a moment to settle
Test-NetConnection -ComputerName $target -Port $port | Select-Object -ExpandProperty TcpTestSucceeded
# Re‑enable the firewall
Set-NetFirewallProfile -All -Enabled True
Write-Host "Firewall restored."
The first result should be False (blocked). Because of that, the second should be True (open). If you see the opposite, something is still amiss with your rule Most people skip this — try not to..
Wrap‑Up & What Comes Next
You’ve just walked through every nuance of creating a reliable inbound block for a single TCP port using the Windows Defender Firewall GUI, verified it with both GUI tools and command‑line utilities, and even explored a quick PowerShell one‑liner for future automation. Mastery of these steps does more than earn you a lab grade—it builds the muscle memory you’ll need when you later:
- Harden a server by locking down unnecessary services.
- Create “kill‑switch” rules for compromised workstations.
- Script bulk firewall deployments across an enterprise using Group Policy or DSC.
Remember, firewalls are only as good as the rules you write and the verification you perform. A single missed checkbox can leave a vulnerable surface exposed, while an extra screenshot can save you hours of back‑and‑forth with an instructor Turns out it matters..
Congratulations! You’ve successfully completed Simulation Lab 11.2. Keep the cheat sheet handy, practice the PowerShell shortcut, and move on to the next module with confidence that you can both configure and prove the effectiveness of a Windows Defender Firewall rule. Happy securing!
Final Checklist – One‑Page “Rule‑Ready” Summary
| Step | Action | Quick‑Check |
|---|---|---|
| 1 | Open Windows Defender Firewall → Inbound Rules | Confirm you’re in the correct profile list |
| 2 | New Rule → Port → TCP → Specific local ports (e.g., 135) | Verify the port number in the dialog |
| 3 | Block the connection → Allow the connection? |
Keep this sheet on your desk or in a digital note. Every time you add or tweak a rule, a quick glance at the checklist helps catch the most common slip‑ups (wrong port, wrong profile, or an accidentally enabled “allow” rule) The details matter here. Which is the point..
Most guides skip this. Don't And that's really what it comes down to..
Extending the Lesson – What If You Need More Granularity?
1. Source‑Specific Blocking
If you only want to block traffic from a particular subnet (e.Also, g. 168., `192.1.
- Right‑click the rule → Properties → Scope tab.
- Under Remote IP address, select These IP addresses and add the subnet.
- Click OK.
Now only clients from that subnet will hit the block; the rest of the world remains unaffected And that's really what it comes down to..
2. Logging the Blocked Traffic
To audit who’s attempting to hit the port:
- In the rule’s Properties, go to the Logging tab.
- Check Log dropped packets.
- Specify a log file path or accept the default (
%systemroot%\system32\LogFiles\Firewall\pfirewall.log).
After a week of traffic, review the log with wevtutil qe or a simple Get-Content in PowerShell. Look for the RuleName you set – it will appear in the log entries.
3. Combining with Network Level Controls
For maximum security, consider layering your firewall rule with network‑based measures:
- IPsec: Require encryption for all communication to the server, effectively preventing unauthenticated traffic from reaching the port.
- Virtual Networks: Place the server in a subnet that’s isolated by a virtual network appliance (e.g., Azure NSG, AWS Security Group) that already denies inbound traffic on port 135.
Troubleshooting Quick‑Fixes
| Symptom | Likely Cause | Fix |
|---|---|---|
Test-NetConnection still returns True |
Rule is disabled or not applied to the active profile | Verify Enabled status; check Domain/Private/Public selection |
Port 135 appears open in Resource Monitor but blocked in telnet |
Windows Defender Firewall is outbound allowed but inbound blocked | Ensure the rule is inbound; double‑check Direction |
| Rule shows Enabled but traffic is still allowed | Another rule with higher priority is overriding it | Use Advanced Security → Inbound Rules → Sort by Priority; adjust Order or add a Pre‑configured rule |
| Edge traversal remains enabled | You edited the wrong rule or forgot to save | Re‑open the rule’s Advanced tab and re‑uncheck; click OK |
Closing Thoughts
Blocking a single port with the Windows Defender Firewall may look trivial, but it’s a microcosm of the broader discipline of defensive configuration:
- Precision – Every checkbox and number matters.
- Verification – Never assume a rule works; test from both the inside and outside.
- Documentation – A clear, concise rule name and comment preserve intent for future admins.
- Automation – PowerShell scripts turn a manual task into a repeatable process, essential for scaling.
By mastering this exercise, you’ve not only earned a solid lab grade but also acquired a transferable skill set. Whether you’re hardening a production server, building a secure lab environment, or scripting enterprise deployments, the same principles apply Practical, not theoretical..
Next steps:
- Practice creating a deny rule for an outbound port you know is unused (e.g., 8080).
- Explore the Outbound Rules pane and observe the symmetry (or lack thereof) with inbound rules.
- If you’re comfortable, try a Custom rule that blocks based on protocol ICMP or a Program path.
Keep your cheat sheet handy, revisit the quick‑check table, and remember: a firewall is only as strong as the rules you write and the rigor you apply to testing them And that's really what it comes down to..
Congratulations, you’re now a certified Windows Defender Firewall rule‑writer!
