The Windows Defender Firewall rises

The Windows Defender Firewall rises

This blog is the seventh part of the Endpoint Security Series, I’ll explain how to deploy your Windows Defender firewall baseline policy rules into Intune.

I will divide this blog into multiple parts

  1. Background Information
  2. Deploying Rules with the Firewall Migration Tool
  3. Deploy Rules with a PowerShell Script
  4. Manually deploying rules with Intune (Endpoint Security)
  5. Automatically deploying rules with Intune (Endpoint Security)
  6. Don’t Forget to lock it down!
  7. Removing the Firewall Rules
  8. Results

1.Background Information

Configuring Windows Defender Firewall rules on your Windows 10 device shouldn’t be forgotten. You really don’t want to have unauthorized network traffic coming from and to your Windows 10 Devices.

The Windows Firewall is enabled by default, but it still needs some additional configuration when you want to add an additional layer to your defence. You could add some allow or deny rules to your existing configuration.

As a good example: Do you know which ports are most used to establish a reverse PowerShell? TCP Port 444 is one of the many examples.

An introduction to Reverse Shells – JCore Blog

So when we don’t need this port for outbound traffic, why not blocking it?

2. Deploying Rules with the Firewall Migration Tool

When I first wrote this blog (2020-07), the Microsoft defender firewall rule migration tool was released, the first time I tested it, it didn’t work like expected. I couldn’t edit the imported rules but now, after a few months, it worked great!

In most companies, the Defender Firewall rules are centrally managed and deployed with Group policies. So it’s great there is a tool now to migrate them to Intune! So download the tool and start migrating them.

Before I could do anything, I needed to remove the __PSLOCKDownPolicy to 1….Otherwise, you are stuck to the constrained language mode. Don’t forget to launch PowerShell as admin

After installing all of the required modules it prompted me for my Microsoft credentials.

After entering the Microsoft Tenant Admin credentials the Firewall rules were exported and imported successfully in Intune.

3. Deploy rules with a Powershell Script

Of course, a PowerShell script works! You could use Netsh to add some Firewall rules!

Netsh.exe advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any
Netsh.exe advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any

But, wouldn’t it be nicer to configure the firewall rules within the Endpoint Security section instead of deploying the firewall rules to your devices with a PowerShell script? Because altering an existing firewall rule through PowerShell is not ideal.

4. Manually Deploying rules with Intune (Endpoint Security)

Go open Intune and open Endpoint Security and click On Firewall and start creating a policy.

As you can see, you can define your own additional firewall rules.

What rules are we going to implement? I guess we need to look back to my blog about Applocker where I mentioned the Lolbas project.

https://lolbas-project.github.io/

It’s a lot of work if you choose to configure all these Lolbins manually. It takes about 1 or 2 minutes to create just one firewall rule. So, it’s going to take a lot of time to block all the Lolbins.

Waiting GIFs - Get the best GIF on GIPHY

5. Automatically Deploying rules with Intune (Endpoint Security)

When you are not in the position to use the Migration Tool you could just use this PowerShell script below to let the automation begin!

https://call4cloud.nl/wp-content/uploads/2020/07/Windows10_firewall_rules.txt

Open a PowerShell Script and Copy-Paste the whole text content and watch it go.

And within a few seconds the Endpoint Security Windows Defender Firewall Rules policy is created with alot of rules in it.

6. Don’t forget to lock it down

Only creating Firewall Rules isn’t the best practice you also need to be 100% sure the Firewall is up and running. Secondly, you really don’t want the firewall to easily be disabled. To do so, we need to create an additional Endpoint Security Firewall policy.

And make sure you turn on the Microsoft Defender Firewall for Public/Private and the domain network.

When the policy is deployed you can try to change the Firewall Settings in the Security Settings Page. It’s greyed out!

But what about the old school settings? As shown below… (Opened the MMC as admin) I could still disable it!

But even with the proper policies it still isn’t enforced? Requesting a Diagnostic report also showed me the correct setting.

I was really expecting something like this?

Looking back at the Endpoint Security Defender Firewall policy… I was hoping that configuring this policy would make sure no one could change the Firewall Settings.

So for now, until I find the reason why it doesn’t lock it, I created an additional PowerShell script to make sure it was on and enforced!

new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft' -name "WindowsFirewall"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "DomainProfile"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "PublicProfile"
new-item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall' -name "StandardProfile"
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile' -name "EnableFirewall" -Value 1
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile' -name "EnableFirewall" -Value 1
Set-ItemProperty -Path 
'HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile' -name "EnableFirewall" -Value 1

You could add this to your Baseline Hardening script like I did in this blog at part 6

7. Removing the Firewall Rules

If you want to remove the Endpoint Security Firewall Rules, you are lucky because the tattooing issue with some Endpoint Security Configuration profiles is gone. When you remove the profile or remove the assignments, the Firewall rules are also removed from the endpoint!

8. Results

You always need to be 100% certain when you configure “something” it’s working and applied! When we need to check if the firewall rules are deployed we can use 4 methods.

1.Windows Defender Firewall MMC

When looking at the advanced firewall rules, you’ll notice the rules you configured are missing. It’s weird… but look at the monitoring/firewall section, you will notice the rules arrived on the devices

2.Registry

You can also open the registry to check if the firewall rules are active!

3.Intune Reporting

Of course when you want to know if the Firewall is enabled on all the devices, just open Intune and generate the Firewall Report

4.PowerShell

Get-NetFirewallRule -PolicyStore ActiveStore | where-object { $_.DisplayName -eq “FireWallRuleName” } 

Testing it

Now we are pretty sure the Windows Firewall is enabled and all the Firewall rules are configured let’s test it…I opened a cmd and tried to telnet to an FTP server.

Connection failed… just as I wanted it to fail! So your rules are doing their job.

Conclusion:

Blocking specific programs or ports for outbound connections is a great idea but you have to be careful. Because blocking a programs outbound connection can break some stuff. It’s also best practice to block PowerShell outbound. Beware the rules are for all users! When you block PowerShell, it’ll be blocked for everyone!

Beware, Windows Defender Firewall is just another security barrier, it doesn’t mean it will stop all intrusions!

terminator funny gif | WiffleGif

If you want to read more here is the link to the other Endpoint Security blogs

https://call4cloud.nl/category/endpoint-security-series/

2 thoughts on “The Windows Defender Firewall rises

  1. Hi, great blogpost, would you be willing to share all the firewall rules you put in place please?

    1. Normally this would be the most process I will block

      https://call4cloud.nl/wp-content/uploads/2020/07/Windows10_firewall_rules.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

42  +    =  51