This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy. The recommended state for this setting is: No. Note: When the Apply local firewall rules setting is configured to No, it's recommended to also configure the Display a notification setting to No. Otherwise, users will continue to receive messages that ask if they want to unblock a restricted inbound connection, but the user's response will be ignored. Rationale: When in the Public profile, there should be no special local firewall exceptions per computer. These settings should be managed by a centralized policy. Impact: Administrators can still create firewall rules, but the rules will not be applied.
Solution
To establish the recommended configuration via GP, set the following UI path to No: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Public Profile\Settings Customize\Apply local firewall rules Default Value: Yes (default). (Firewall rules created by administrators will be applied.) Additional Information: Windows Firewall with Advanced Security Technical Implementation Guide: Version 1, Release 7, Benchmark Date: April 27, 2018 Vul ID: V-17442 Rule ID: SV-54917r3_rule STIG ID: WNFWA-000024 Severity: CAT II