Shulou(Shulou.com)06/01 Report--

If you ignore or disable Windows Firewall, you may lack some good basic protection that is easy to set up and maintain.

Windows Firewall has been enabled by default since Windows XP sp2, but we still see some cases where firewalls are turned off at deployment time because of old habits. With Windows 10 and Server 2019, most of the most needed firewall policies are already built-in, making it relatively easy to set up access. However, sometimes users should still strengthen the setting of the Windows firewall to better protect users from lateral movements and attacks.

Build rules for binaries or executables

If the application requires a special rule, the user should build based on binaries or executables, not ports. This ensures that the firewall is turned on only when the application is active. If you use a port to build firewall rules, the port will remain open and expose the system.

Identify blocked applications

When an application is blocked, the Windows device issues a notification by default. However, IT administrators may want to use event logs to identify blocked applications rather than visual pop-ups that are easy to miss in the system tray. To determine which applications are blocked by Windows Firewall, first search the event log for event 5031, which indicates that Windows Firewall prevents an application from accepting connections on the network. Use this event to detect applications that do not have Windows firewall rules.

Set up security monitoring

If you use the security event log monitoring solution to monitor events, keep the following points in mind:

● if you have a predefined application to perform the action of this event report, monitor for events that "Application" does not belong to the application that you define.

● monitors whether "Application" is in a standard folder (for example, not in System32 or Program Files) or in a restricted folder (for example, temporary Internet files).

● if you have a predefined restricted substring or list of words (for example, "mimikatz" or "cain.exe") in the application name, check these substrings in "Application".

Prevent PowerShell from accessing Internet

You can use Windows Firewall to prevent applications from accessing resources. You can prevent PowerShell from accessing the Internet. The first rule below allows PowerShell to access the local subnet. The second rule is to reduce traffic flow:

C:\ > netsh advfirewall firewall add rule name= "PS-Allow-LAN" dir=out\

Remoteip=localsubnet action=allow program= "c:\ windows\ system32\ WindowsPowerShell\ v1.0\ powershell.exe"\

Enable=yes

C:\ > netsh advfirewall firewall add rule name= "PS-Deny-All" dir=out\

Action=block program= "c:\ windows\ system32\ WindowsPowerShell\ v1.0\ powershell.exe"\

Enable=yes

This protects your system from attacks that use PowerShell to invoke commands and control the computer to launch blackmail software and other attacks. PowerShell should not be deleted, but should be reinforced and documented to ensure that it is used as expected.

You can also build rules for multiple versions of PowerShell:

C:\ > for / R% f in (powershell*.exe) do (netsh advfirewall firewall add rule name= "PS-Allow-LAN (% f)" dir=out remoteip=localsubnet action=allow program= "% f" enable=yes

Netsh advfirewall firewall add rule name= "PS-Deny-All (% f)" dir=out action=block program= "% f" enable=yes)

Firewall rules prevent PowerShell from accessing the Internet

You will see the generated rules in the outbound firewall rule settings:

Windows Firewall rules

If PowerShell intentionally invokes the binaries from another location or renames itself to hide itself, then this process cannot be done.

Use PowerShell to set firewall rules

You can use PowerShell to set firewall rules as described in Microsoft. For example, to block outbound port 80 on the server, use the following PowerShell command:

New-NetFirewallRule-DisplayName "Block Outbound Port 80"-Direction Outbound-LocalPort 80-Protocol TCP-Action Block

The basic attributes you need to fill in are:

Friendly name of the ● firewall rule

● direction-whether to block traffic leaving the computer (outbound) or entering the computer (inbound)

● Action-if the rules are met, what action will be taken to allow or prevent

You can use many PowerShell modules to better control and manage Windows firewalls. All of this is recorded in the Netsecurity section.

The basic attributes you need to fill in are:

● DisplayName-friendly name of the firewall rule

● direction-prevents traffic from leaving the computer (outbound) or entering the computer (inbound)

● Action-if the rules are met, what action will be taken, whether it will be allowed or blocked.

You can use many PowerShell modules to better control and manage Windows firewalls. Everything is recorded in the "Netsecurity" section.

Check the new Windows 10 security benchmark

Don't forget that Microsoft releases new security benchmarks for every version of Windows 10. As part of the benchmark, they include recommended firewall policies.

Windows 10 2004 benchmark strategy

By default, inbound connections should be blocked for domain and private profiles.

Periodic audit settings

Finally, when checking the security status of the network, periodically randomly select some workstations and audit their settings. Check the firewall policy on each sample workstation.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.