Task 9: Secure Critical Devices with Host-Based Firewalls

In the last article, we covered the purpose of firewalls and how they act as a barrier between your devices and potential cyber threats. We saw that there are two types of firewalls – network firewalls (which are often physical devices) and host-based fire

In this task, we’ll focus on enabling and configuring host-based firewalls on your most critical devices.

The good news? Most operating systems already come with a 100% effective, free built-in firewall.

You just need to ensure it’s properly configured and running on the right devices.

Why Host-Based Firewalls Matter

A host-based firewall protects an individual device by filtering incoming and outgoing network traffic based on a set of security rules.

While network-level firewalls (like the one on your router) are a great first line of defense for the entire network, host-based firewalls provide a crucial second layer, especially when devices are mobile or exposed to untrusted networks. Think about it this way – once an attacker gets into your network, a host based firewall is the next line of protection against them attacking any specific machine.

The other important reason that we encourage the adoption of host-based firewalls is that mobile devices – especially laptops – are often connected to public or otherwise insecure networks. Places like coffee shops, airports and hotels often have highly insecure networks and virtually anyone can try to attack your computer while you’re connected to that network. If they do manage to gain a foothold on your computer, they can then pivot into your small business network or even attack any cloud-based services like Gmail/Google Workspace or Microsoft 365 products that your business may use.

For small businesses, host-based firewalls are one of the most cost-effective security measures you can implement. They’re typically free, built into your operating system, and quick to configure. That’s why we strongly recommend enabling and properly configuring host-based firewalls on key assets like Windows computers, servers, and any device that connects to public networks, before considering an investment in a dedicated hardware firewall.

Like many of the Tasks in this course, this step has an exceptionally high return on investment (ROI). For a small time investment, you get a powerful layer of protection that significantly reduces your attack surface.

Which Devices Should Have a Host-Based Firewall?

While it’s a never a bad idea to have firewalls enabled on all capable devices, certain systems absolutely require it due to their higher risk profile:

High-Priority Devices:

  • Windows Computers: Windows devices are the most targeted endpoints in small business environments. Always ensure the built-in Windows Defender Firewall is active.
  • Servers: Servers that host critical applications, store sensitive data, or provide network services should always have a host-based firewall configured. This includes email servers, DNS servers, Windows active directory domain controllers, and internally-facing web servers, as an example. Another helpful example – any computer that uses a Microsoft Server operating system most likely functions as a server.
  • Externally-Facing Systems: Any device that connects directly to the internet (such as public web servers or remote desktop systems) must have a host-based firewall as an added safeguard. Note that for web servers, this is in addition to (and arguably more important than) a web application firewall, or WAF. The host-based firewall protects the computer, while the WAF protects the website.
  • Laptops and Mobile Workstations: Devices that are taken outside of the office network are at greater risk of exposure and should always have an active firewall.

Lower-Priority Devices:

  • Printers, IoT devices, Smart TVs, etc.: Many of these devices either lack a built-in firewall or are difficult to manage at the host level. Focus on segmenting them on your network instead.
  • Mac Computers (Debatable): macOS comes with a built-in firewall, but it’s disabled by default. It’s a good idea to enable it on Macs, especially laptops or systems handling sensitive data.
  • Tablets and Smartphones: While devices like tablets and smartphones do connect to business resources, their operating systems (like iOS and Android) handle network security differently than traditional computers. They often have built-in protections such as application sandboxing and limited inbound connectivity by default. In other words, mobile operating systems tend to keep the device ‘locked down’ against outside attacks – for good reason, as they are constantly connecting to insecure networks. For small businesses, managing host-based firewall rules on mobile devices typically isn’t a priority, especially compared to securing laptops, desktops, and servers.

Step-by-Step: Enable Host-Based Firewall on Windows

  1. Open Windows Security:
    • Click Start > Settings > Privacy & Security > Windows Security > Firewall & Network Protection.
  2. Ensure Firewall is On for All Profiles:
    • You’ll see three profiles: Domain, Private, Public.
    • Click into each and ensure the firewall is turned on.
  3. Check Allowed Apps:
    • Click “Allow an app through firewall” and review the list.
    • Remove unnecessary exceptions and ensure only trusted applications have access.
  4. Optional (Advanced Users):
    • Click “Advanced Settings” to configure detailed inbound/outbound rules.
    • For critical servers, deny all inbound connections by default and allow only the necessary services.

Step-by-Step: Enable Host-Based Firewall on macOS

  1. Go to System Settings > Network > Firewall.
  2. Toggle the firewall to On.
  3. Click Options to manage specific app permissions and block all incoming connections (except essential services).
  4. For laptops, consider enabling Stealth Mode to make the device less visible on public networks.

Key Takeaways

  • Focus first on Windows devices, servers, and any system that connects to the internet directly.
  • Laptops are very high-risk and should always have a host-based firewall enabled.
  • Don’t stress over IoT devices too much—segmentation is your best defense there.
  • Once configured, firewalls quietly protect your devices in the background with little to no daily maintenance.