Let’s firewall some stuff, shall we?
So, what is a firewall? Let’s not get philosophical, let’s get down to business!
A firewall is hardware, or in this case, software that protects a host or zone by checking inbound (and if needed outbound) traffic on the network. Windows firewall is a host-based software firewall that’s been a part of Windows Server since Windows Server 2003.
With the release of Windows 10 build 1709 (September 2017), it was renamed Windows Defender Firewall.
We have many ways of interacting with the Windows Defender Firewall. I’m listing some of them below, but for the sake of simplicity we will do as the 744 exam ref does and focus on the advanced security console!
firewall.cpl
#opens the Windows Defender Firewall control panel
netsh advfirewall firewall
#uses the now legacy netsh command-line program to configure
#the firewall programmatically
Show-ControlPanelItem -Name 'Windows Defender Firewall'
#opens the windows defender firewall control panel
Get-NetFirewallRule
Copy-NetFirewallRule
New-NetFirewallRule
#and many more
This link provides you with all cmdlet descriptions and syntax for all Network Security cmdlets. Be aware, there’s a lot more than just firewall things here.
wf.msc
#opens the Windows Defender Firewall with Advanced Security MMC console
Finally, we get to the “big fish”. For this step to make sense, please open the console on your own PC, or use the following picture for reference.
On the left hand side you’ll notice four categories:
Let’s first start by getting to know how the firewall rules work!
Let’s dig deeper into the inbound rules. For this, I present to you a snip from my own personal firewall (mind you everythings Norwegian).
In this picture we get a sense of what we can configure - there’s also three more categories to the right that got cut of in formatting, but bear with me.
If we right click Inbound Rules we can filter the rules to make it easier to review, or create new rules.
For this we are going to create an inbound rule that allows us to recieve traffic on UDP port 1337, from all hosts on the 10.10.10.0/24 network.
First, let’s do it the fast way, using PowerShell/cmd.
netsh advfirewall firewall add rule name="Truls Example Rule 1337" dir=in action=allow protocol=UDP localport=1337 enable=yes remoteip=10.10.10.0/24 profile=private
New-NetFirewallRule -DisplayName "Truls Example Rule 1337" -Direction Inbound -LocalPort 1337 -Protocol UDP -Action Allow -RemoteAddress 10.10.10.0/24 -Enabled $True -Profile Private
Alternatively, we can use the New Inbound Rule Wizard by right clicking the Inbound Rules node and selcting new rule. Here we would select Rule Type (Port), define Protocol and Ports (UDP/1337), choose an Action (allow), determine the Profile (private) and choose a Name (Truls Example Rule 1337).
To view the rule I just created, I can do
Get-NetFirewallRule -DisplayName "Truls Example Rule 1337"
By that logic, to change rule settings easily in the same PowerShell session, I can do something like this
Get-NetFirewallRule -DisplayName "Truls Example Rule 1337" | Set-NetFirewallRule -Description "Test" -LocalPort 1338 -Profile All
To add several rules to a group, I can create a simple loop to add all inbound rules that have SQL in the name to a generic SQL rule group
$sql_rules = Get-NetFirewallRule -DisplayName "*SQL*" -Direction in
ForEach($rule in $sql_rules) {
$rule | Set-NetFirewallRule -Group "Generic SQL rules"
}
netsh doesn’t have the same capabilities, here you have to specify the name parameter to match exactly the name of the rule you want to find (as far as I know).
To export using netsh, use the following command
netsh advfirewall export "C:\temp\firewallz_rule.wfw"
Importing follows the exact same logic
netsh advfirewall import "C:\temp\firewallz_rule.wfw"
Powershell does not have the same functionality, but we can use Copy-NetFirewallRule to either copy a group, or an entire policy store to a new one. A policy store is a container for firewall and IPsec policy - a Group Policy, in that sense, is also a policy store.
First, let’s copy our single rule from earlier
Copy-NetFirewallRule -DisplayName "Truls Example Rule 1337" -NewName "Truls Example Rule 1338"
Then, let’s copy our SQL group!
Copy-NetFirewallRule -Group "Generic SQL rules" -Enabled $True -PolicyStore truls.lab\SQL_Server -NewPolicyStore truls.lab\SQL_Server_New
Last, but not least, let’s copy the entirity of the domain rules over to a new policy store! This requires access to the new policy store, obviously.
Get-NetFirewallProfile -Profile Domain -PolicyStore truls.lab\Security_Baseline | Copy-NetFirewallRule -NewPolicyStore new.lab\Copied_Security_Baseline
Network location profiles are used by the Network Location Awareness service that runs on Windows Server and Client operating systems. There’s three default profiles, which most people using Windows in some shape or form are familiar with:
For the 744 exam it’s assumed that we are working with:
So further on in this sub-chapter we’ll be talking about the domain profile.
This procedure is almost identical to configuring the firewall on a host, except for these first two steps:
\Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Inbound Rules
Now, the process is the same as using the New Inbound Rule Wizard.
Earlier we exported some rules we had created - if those rules are something you’d want to push to, say, all your clients, you can easily import the rules in the Group Policy Editor. Simply navigate to this GPO:
\Computer Configuration\Policies\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security
Right-click the ‘Windows Firewall with Advanced Security’ node and select Import Policy. All we need to do now is select our exported ‘firewallz_rule.wfw’, and we’re done.
Next time we’re taking a look at connection security rules and some more tips and tricks for configuring the Windows Defender Firewall
If you have any suggestions on items I can add, please let me know!
The world of security is always changing and that’s also the case for Microsoft. To follow all their updates, new products, what’s retiring and namechanges please use the following link to stay updated on all their blogs and updates. Here they discuss updated baselines and so much more.
Most of this writing is strongly influenced by the 70-744 Exam Reference - so there will be a lot of similarities. It’s a great book, please check it out.