Tag Archives: Outbound rules

Windows Defender Firewall with Advanced Security – what is that Advanced Security part? Let’s remove the dust … (Part 2 – Outbound filtering)

In this quick post I would like to emphasize that by using Outbound filtering in Windows Defender Firewall with Advanced Security you can do some kind of “segmentation” without real segmentation that would include implementation of VLANs, moving of your management interfaces IP addresses to different segments, switches configuration, implementation of access lists / firewall rules between segments that we all know that takes a lot of time and effort.

Yes, you should do it but in the meantime while you are preparing for such project implement outbound firewall rules on your clients‘ and by doing so prevent lateral movement of potential hacker from infected / compromised machine to other machines in the neighborhood …

But even more importantly – prevent your clients’ machines to access devices / interfaces / protocols that they do not ever need.
For example – do your end users need to access switches management interfaces? Or servers out-of-band management cards? Or your UPS management interfaces? Or your servers (excluding RDP servers) on port tcp 3389? And finally (as this will be covered in the video) do your end users ever use Powershell to access network resources or download stuff from the internet by using cmdlet: Invoke-WebRequest (or something similar)?
Probably (hopefully) the answer is NO.
And Windows Defender Firewall with Advanced Security and its possibility to apply outbound rules to your clients will help you achieve such state in your network.

In this short video I am showing outbound firewall rules that prevent (only) Powershell (32/64 bit, ISE, not ISE and also the one accessed remotely via Powershell Remoting) to access the internet.
Powershell is a great tool that is often (as it is directly integrated in operating system) abused by people that do not have good intentions 🙂 So by misleading the users to click on something that triggers Powershell (as legit tool in Windows) and runs some scripts Powershell is able to download some extra malware from the internet.
By using this firewall rules at least we do not need to worry that malware will be delivered by some Powershell script. 🙂 By following this example you can create your outbound firewall rules that can increase security of your endpoints.

Windows Defender Firewall with Advanced Security – what is that Advanced Security part? Let’s remove the dust … (Part 1 – Firewall baseline)

In most environments where I work I see poorly or not implemented at all Windows Defender Firewall with Advanced Security, even if since Windows Server 2008 and Windows Vista (well in fact a lot of things were there also before but not so intuitively configurable …) it provides great features that can drastically increase security in the network environments …

First of all it provides inbound and outbound filtering – with outbound rules you can do a lot to prevent your users accessing other devices inside your networks …

At least in Slovenia (yes, we are quite a small country where good old Small Business Server was widely adopted) there are still many companies that do not have real segmentation in place (with vlans for printers, users workstations, servers, network management, access lists between segments…) – and we all know that implementing it when you have everything in-place is quite an effort and a project that can take a lot of time…

Well while you are preparing for this step you can do a lot by using outbound rules on Windows Defender Firewall with Advanced Security and simply disallow your end users to access management interfaces of your network devices, you can prevent users to establish connection to servers on protocol that they do not need and so on …

For now we were talking just about basic inbound / outbound rules but what is that Advanced Security part in it’s name? Well we will cover that in next parts dedicated to this great piece of software that you all already have included in your operating system.

Today I would like to just quickly go through basic implementation that I will call Firewall baseline for client computers where I will just deploy a Group Policy object where I will configure Windows Firewall to be turned on and to ignore local rules – this is very important when you are deploying Windows Firewall – by doing so after Group Policy is applied all local rules will be ignored (also those that could be potentially created afterwards by user who has local admin rights) – only and exclusively rules that you define through Group Policy will be effective on your workstations. This is important to be sure that you are completely in control of what is going on on your workstations (and of course servers) firewall.

In the video you can see that at the beginning I am remotely connected to a client PC (that will get firewall settings later through Group Policy) and after Group Policy is applied RDP sessions in disconnected (as local rules are not effective any more (Apply local firewall rules: No) – and only after I add manual exemplary rule for RDP (tcp port 3389) RDP session* is reconnected.

*Yes, this rule is without any extra parameters and making such rule is not a good idea – as it opens RDP from anywhere to the workstation affected by this policy – it was created just for demo purposes for this video.