Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall policies #35

Open
obsti8383 opened this issue Aug 27, 2017 · 1 comment
Open

Firewall policies #35

obsti8383 opened this issue Aug 27, 2017 · 1 comment
Labels
help wanted

Comments

@obsti8383
Copy link
Collaborator

Are there firewall policies that can help against common threats without breaking thing. E.g. Velocet suggested:
"The Explorer leaks NTLM hashes (not in every case) and your IP (every case) via simply display a folder that does contain a specially crafted "desktop.ini": Create a new firewall rule that prevents the explorer.exe from accessing the internet..."

Another idea:
I assume setting the default rule for outgoing connections to "not allow" will break lots of things (via "netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbund")?

Any experience out there?
@Velocet
Copy link

Velocet commented Sep 3, 2017
edited

I would suggest to block everything and only allow certain apps. In the case of explorer.exe this will break LAN connections (File Sharing, Computer Browser, etc.). To circumvent this it is possible to only allow connections to the local subnet and only if the network is "trusted" (eg: Private/Home, Domain):

netsh advfirewall firewall add rule name="Explorer (Local Subnet)" description="Local Subnet" group="HardenTools" dir=out action=allow profile=Private,Domain remoteip=localsubnet program="%SystemRoot%\explorer.exe"

I think the better way is to use PowerShell cause this seems to use WMI to create the rule and thus it is possible to set a group:

New-NetFirewallRule -DisplayName 'Explorer (Local Subnet)' -Name 'Explorer (Local Subnet)' -Description 'Local Subnet' -Direction Outbound -Action Allow -Group 'HardenTools' profile=Private,Domain -RemoteAddress localsubnet Program "$([Environment]::GetFolderPath('Windows'))\explorer.exe"

When a group is set rules become more manageable like in this example where all HardenTools rules get disabled:

netsh advfirewall firewall set rule group="HardenTools" new enable=no

I am using Windows Firewall Control from binisoft and could really recommend it. Very lightweight and it's just a frontend for the built-in firewall. Another simple (and also open source) app to manage fw rules is simplewall.

The whitelist approach is "the best" since everything gets blocked and only known applications are allowed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@botherder @Velocet @obsti8383