Block Nmap Scans on Windows

TL;DR

Nmap is a powerful network scanning tool often used by attackers to find vulnerabilities. This guide shows you how to block common Nmap scan types on your Windows machine using the Windows Firewall with Advanced Security.

Blocking Nmap Scans: A Step-by-Step Guide

1. Open Windows Firewall with Advanced Security

• Press the Windows key, type “firewall”, and select “Windows Defender Firewall with Advanced Security”.

Create a New Inbound Rule

• In the left pane, click “Inbound Rules”.
• In the right pane, click “New Rule…”.

Rule Type: Port

• Select “Port” and click “Next”.

Specify Protocol and Ports

• Select “TCP”.
• Choose “Specific local ports:”.
• Enter the following ports, one at a time. Create a separate rule for each port or comma-separate them (but creating individual rules is recommended for clarity):
  • 21 (FTP)
  • 22 (SSH)
  • 23 (Telnet)
  • 25 (SMTP)
  • 53 (DNS)
  • 80 (HTTP)
  • 110 (POP3)
  • 143 (IMAP)
  • 443 (HTTPS)
  • 3389 (RDP – Caution: Blocking RDP can lock you out of your machine! Only block if you don’t need remote access.)
  • Any other ports running services you want to protect.
• Click “Next”.

Action: Block the Connection

• Select “Block the connection” and click “Next”.

Profile: Domain, Private, Public

• Leave all three checkboxes (Domain, Private, Public) selected. This ensures the rule applies to all network types. Click “Next”.

Name and Description

• Give the rule a descriptive name like “Block Nmap FTP Scan” or “Block Common Ports”. Add a description explaining its purpose.
• Click “Finish”.

Repeat for UDP ports (Important!)

• Repeat steps 2-7, but in step 3 select “UDP” instead of “TCP”. Enter the same port numbers as before. Nmap often uses both TCP and UDP scans.

Block ICMP (Ping) Scans

• Create a new inbound rule (steps 2-7).
• In step 3, select “ICMPv4”.
• Select all ICMP types.
• Follow the remaining steps to block the connection and name the rule appropriately (e.g., “Block Nmap Ping Scan”).

Advanced Blocking: Custom Rules for Specific Nmap Techniques

Nmap uses various techniques beyond simple port scans. While blocking all ports and ICMP covers many common attacks, more sophisticated scans might still get through.

• SYN Scan (-sS): This is a stealthy scan that doesn’t complete the TCP handshake. Blocking all incoming connections on those ports (as above) helps mitigate this.
• ACK Scan (-sA): Used to map firewall rulesets. Again, blocking common ports will reduce its effectiveness.
• UDP Scan (-sU): Covered in step 8.
• FIN/NULL/Xmas Scans (-sF, -sN, -sX): These scans rely on subtle TCP flag combinations. Blocking all incoming connections is the best defense.

Verify Your Rules

• In the “Inbound Rules” list, ensure your new rules are present and enabled (green checkmark icon).
• You can test if Nmap scans are blocked by running Nmap from another machine against your target IP address. You should see no open ports or filtered results for the ports you’ve blocked.

  nmap -sS -p 1-65535