This tutorial will show you how to enable or disable "shields up" mode in Windows Firewall to quickly "Block all incoming connections, including those in the list of allowed apps" on your Windows 10 or Windows 11 PC.
Windows Firewall or Microsoft Defender Firewall is a security feature that helps to protect your device by filtering network traffic that enters and exits your device. This traffic can be filtered based on several criteria, including source and destination IP address, IP protocol, or source and destination port number. Windows Firewall can be configured to block or allow network traffic based on the services and applications that are installed on your device. This allows you to restrict network traffic to only those applications and services that are explicitly allowed to communicate on the network. Windows Firewall is a host-based firewall that is included with the operating system and enabled by default on all Windows editions.
An important Windows Firewall feature you can use to mitigate damage during an active attack is the shields up mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
Shields up can be achieved by checking (on) the Block all incoming connections, including those in the list of allowed apps setting for the domain, public, and/or private network profile.
By default, the Windows Firewall blocks everything unless there's an exception rule created. The shield up option overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access can't work as long as shields up is active.
Once the emergency is over, uncheck (off) the Block all incoming connections, including those in the list of allowed apps setting to restore regular network traffic.
Reference:
Windows Firewall tools
Learn about the available tools to configure Windows Firewall and firewall rules.
learn.microsoft.com
You must be signed in as an administrator to turn on or off "shields up" mode in Windows Firewall to "Block all incoming connections, including those in the list of allowed apps".
Contents
- Option One: Turn On or Off Block All Incoming Connections in Windows Firewall in Windows Security
- Option Two: Turn On or Off Block All Incoming Connections in Windows Firewall in Control Panel
- Option Three: Turn On or Off Block All Incoming Connections in Windows Firewall using REG file
1 Open Windows Security.
2 Click/tap on Firewall & network protection. (see screenshot below)
3 Click/tap on Domain network, Private network, or Public network for which network location you want to turn on or off shields up mode for. (see screenshot below)
The network location with (active) next to it is your current network location.
4 Under Incoming connections, check (on) or uncheck (off - default) Block all incoming connections, including those in the list of allowed apps for what you want. (see screenshot below)
5 If prompted by UAC, click/tap on Yes to approve. (see screenshot below)
6 You can now close Windows Security if you like.
1 Open the Control Panel (icons view), and click/tap on the Windows Defender Firewall icon.
2 Click/tap on the Turn Windows Defender Firewall on or off link on the left side. (see screenshot below)
3 Check (on) or uncheck (off - default) Block all incoming connections, including those in the list of allowed apps for what you want under each available Domain network, Private network, or Public network settings. (see screenshot below step 4)
4 Click/tap on OK to apply. (see screenshot below)
5 You can now close the "Windows Defender Firewall" Control Panel if you like.
1 Do step 2 (domain), step 3 (public), or step 4 (private) below for which network profile you want to enable or disable shields up mode for.
2 Turn On or Off Shields Up mode on Domain Network in Windows Firewall
A) Click/tap on the Download button you want to use below, and go to step 5 below.
Turn_ON-Block_all_incoming_connections_on_Domain_profile.reg
Download
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions"=dword:00000001
OR
(Default) Turn_OFF-Block_all_incoming_connections_on_Domain_profile.reg
Download
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DoNotAllowExceptions"=dword:00000000
3 Turn On or Off Shields Up mode on Public Network in Windows Firewall
A) Click/tap on the Download button you want to use below, and go to step 5 below.
Turn_ON-Block_all_incoming_connections_on_Public_profile.reg
Download
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DoNotAllowExceptions"=dword:00000001
OR
(Default) Turn_OFF-Block_all_incoming_connections_on_Public_profile.reg
Download
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DoNotAllowExceptions"=dword:00000000
4 Turn On or Off Shields Up mode on Private Network in Windows Firewall
A) Click/tap on the Download button you want to use below, and go to step 5 below.
Turn_ON-Block_all_incoming_connections_on_Private_profile.reg
Download
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions"=dword:00000001
OR
(Default) Turn_OFF-Block_all_incoming_connections_on_Private_profile.reg
Download
(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions"=dword:00000000
5 Save the .reg file to your desktop.
6 Double click/tap on the downloaded .reg file to merge it.
7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
8 Restart the computer to apply.
9 You can now delete the downloaded .reg file if you like.
That's it,
Shawn Brink
Attachments
-
Turn_OFF-block_all_incoming_connections_on_Domain_profile.reg744 bytes · Views: 73
-
Turn_OFF-Block_all_incoming_connections_on_Private_profile.reg748 bytes · Views: 64
-
Turn_OFF-Block_all_incoming_connections_on_Public_profile.reg744 bytes · Views: 59
-
Turn_ON-Block_all_incoming_connections_on_Domain_profile.reg744 bytes · Views: 62
-
Turn_ON-Block_all_incoming_connections_on_Private_profile.reg748 bytes · Views: 55
-
Turn_ON-Block_all_incoming_connections_on_Public_profile.reg744 bytes · Views: 51
Last edited: