If you ignore or have disabled the Windows firewall, you risk depriving yourself of good basic protections that are easy to set up and maintain.
Since Windows XP sp2, Windows Firewall is enabled by default. However, in many deployments, the Windows firewall is disabled. This is the remnant of old practices, from a time when it was difficult to determine how to authorize the passage of applications. Windows 10 and Windows Server 2019 already have most of the necessary firewall policies built in, and access is relatively easy to configure. But by improving the Windows firewall settings, one can better protect against lateral movements and attackers. Here’s how.
Create rules for binaries or executables
If an application needs a special rule, build it based on the binary or executable, not the port. This ensures that the firewall only opens when the application is active. If one creates a firewall rule using a port, this port remains open and exposes the system.
Identify blocked apps
By default, Windows machines send an alert when an application is blocked. However, there are times when an IT admin might want to use the event log to identify crashed applications rather than relying on easy-to-miss taskbar pop-ups. To find out which applications are blocked by Windows Firewall, you must first look for event 5031 in the event logs. It indicates that Windows Firewall has blocked an application from accepting incoming connections on the network. You can also use this event to detect applications for which no rule is provided in Windows Firewall.
Implement security monitoring
If you are using a security event log tracking solution to monitor events, keep the following things in mind:
– If you have a predefined application to perform the operation that was signaled by this event, monitor for events whose “Application” does not match the defined application.
– Monitor whether “Application” is not in a standard folder (eg, not in System32 or Program Files) or in a restricted folder (eg, Temporary Internet Files).
– If you have a predefined list of partial strings or restricted words in application names (for example, “mimikatz” or “cain.exe”), check if these partial strings are in “Application”.
Block PowerShell from internet access
You can use Windows Firewall to block apps from accessing resources. As mentioned in this SANS forum post, you can block PowerShell’s access to the internet. This first rule below allows PowerShell to access a local subnet. The second rule reduces traffic.
C:> netsh advfirewall firewall add rule name=”PS-Allow-LAN” dir=out
remoteip=localsubnet action=allow program=”c:windowssystem32WindowsPowerShellv1.0powershell.exe”
C:> netsh advfirewall firewall add rule name=”PS-Deny-All” dir=out
These rules can protect systems against attacks that leverage PowerShell to invoke command and control machines and launch ransomware and other attacks. PowerShell should not be retired, but rather hardened and registered to ensure it is used as intended.
You can also create rules for multiple versions of PowerShell:
C:> for /R %f in (powershell*.exe) do ( netsh advfirewall firewall add rule name=”PS-Allow-LAN (%f)” dir=out remoteip=localsubnet action=allow program=”%f” enable=yes
netsh advfirewall firewall add rule name=”PS-Deny-All (%f)” dir=out action=block program=”%f” enable=yes )
Firewall rule to prevent PowerShell from accessing the internet. (Credit: Susan Bradley)
You will see the resulting rule in the outbound firewall rule settings:
Windows Firewall rules. (Credit: Susan Bradley)
If PowerShell is intentionally made to hide itself by calling the binary from another location or renaming itself, this process will not work. It will block attacks against easy targets.
Set firewall rules with PowerShell
As Microsoft explains, it is possible to set firewall rules with PowerShell. For example, to block port 80 outbound on a server, use the following PowerShell command:
New-NetFirewallRule -DisplayName “Block Outbound Port 80” -Direction Outbound -LocalPort 80 -Protocol TCP -Action Block
The basic properties to be entered are:
DisplayName – The friendly name of the firewall rule.
Direction – Whether or not to block traffic leaving the computer (outbound) or entering the computer (inbound).
Action – What action to take if the rule is met, allowed or blocked.
Many PowerShell modules provide better control and management of Windows Firewall. All are documented in the Netsecurity section.
Learn about new Windows 10 security measures
Remember that with each version of Windows 10, Microsoft releases new security measures and makes suggestions in terms of firewall policies.
Windows 10 2004 core policies. (Credit: Susan Bradley)
By default, incoming connections should be blocked for the domain profile and the private profile.
Audit settings regularly
Finally, when you check the security status of your network, periodically check the settings of a random sample of workstations. Examine the firewall policies of each workstation in the sample. We are often surprised to see the rules established by applications for themselves when we forget to set up blocking rules on a given segment.