If you ignore or if you have disabled Windows Firewall, you risk depriving yourself of good basic protections, easy to set up and maintain.
Since Windows XP sp2, Windows Firewall is enabled by default. However, in many deployments, the Windows firewall is disabled. This is the remnant of old practices, at a time when it was difficult to determine how to allow the passage of applications. Windows 10 and Windows Server 2019 already incorporate most of the necessary firewall policies and access is relatively easy to configure. But by improving Windows Firewall settings, you can better protect yourself from lateral movement and attackers. Here’s how.
Create rules for binaries or executables
If an application needs a special rule, it must be built based on the binary or the executable, and not on the port. This ensures that the firewall does not open until the application is active. If you create a firewall rule using a port, that port remains open and exposes the system.
Identify blocked applications
By default, Windows machines send an alert when an application is blocked. However, there are times when an IT administrator may want to use the event log to identify blocked apps rather than relying on the easy-to-miss taskbar pop-ups. To find out which applications are blocked by Windows Firewall, you must first search for event 5031 in the event logs. It indicates that the Windows firewall has blocked an application preventing it from accepting incoming connections over the network. We can also use this event to detect applications for which no rules are provided in Windows Firewall.
Establish security surveillance
If you are using a security event log tracking solution to monitor events, keep the following in mind:
– If you have a predefined application to perform the operation which was signaled by this event, watch for events whose “Application” does not correspond to the defined application.
– Watch if “Application” is not in a standard folder (for example, not in System32 or Program Files) or in a restricted folder (for example, Temporary Internet Files).
– If you have a predefined list of partial strings or restricted words in the application names (for example, “mimikatz” or “cain.exe”), check whether these partial strings are in “Application”.
Block PowerShell from Internet Access
You can use Windows Firewall to block applications that access resources. As noted in this SANS forum message, you can block PowerShell’s access to the Internet. This first rule below allows PowerShell to access a local subnet. The second rule helps reduce traffic.
C: > netsh advfirewall firewall add rule name = “PS-Allow-LAN” dir = out
remoteip = localsubnet action = allow program = “c: windows system32 WindowsPowerShell v1.0 powershell.exe”
enable = yes
C: > netsh advfirewall firewall add rule name = “PS-Deny-All” dir = out
action = block program = “c: windows system32 WindowsPowerShell v1.0 powershell.exe”
enable = yes
These rules can protect systems from attacks that use PowerShell to invoke command and control machines and launch ransomware and other attacks. PowerShell should not be removed, but rather hardened and saved to ensure it is used as intended.
You can also create rules for multiple versions of PowerShell:
C: > for / R% f in (powershell * .exe) do (netsh advfirewall firewall add rule name = “PS-Allow-LAN (% f)” dir = out remoteip = localsubnet action = allow program = “% f “enable = yes
netsh advfirewall firewall add rule name = “PS-Deny-All (% f)” dir = out action = block program = “% f” enable = yes)
Firewall rule to prevent PowerShell from accessing the Internet. (Credit: Susan Bradley)
You will see the resulting rule in the outgoing firewall rule settings:
Windows Firewall rules. (Credit: Susan Bradley)
If PowerShell is intentionally made to hide itself by calling the binary from another location or by renaming itself, this process will not work. It will block attacks against easy targets.
Define firewall rules with PowerShell
As Microsoft explains, it is possible to define firewall rules with PowerShell. For example, to block outgoing port 80 on a server, use the following PowerShell command:
New-NetFirewallRule -DisplayName “Block Outbound Port 80” -Direction Outbound -LocalPort 80 -Protocol TCP -Action Block
The basic properties to be filled in are:
DisplayName – The friendly name for the firewall rule.
Management – Whether or not to block traffic leaving the computer (outbound) or entering the computer (inbound).
Action – What action to take if the rule is respected, authorized or blocked.
Many PowerShell modules provide better control and better management of Windows Firewall. All are documented in the Netsecurity section.
Learn about new security measures in Windows 10
Remember that with each version of Windows 10, Microsoft is releasing new security measures and making suggestions in terms of firewall policies.
Windows 10 2004 basic policies. (Credit: Susan Bradley)
By default, incoming connections must be blocked for the domain profile and the private profile.
Audit the parameters regularly
Finally, when you check the security status of your network, regularly check the settings of a random sample of workstations. Examine the firewall policies for each workstation in the sample. We are often surprised to see the rules established by the applications for themselves when we forget to set up blocking rules on a given segment.