Windows Server 2019 Cookbook
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Using Windows Firewall with Advanced Security to block unnecessary traffic

I encounter far too many networks with policies in place that disable the built-in Windows Firewall with Advanced Security (WFAS) by default on all their machines. Usually, if I ask about this, the reason is either unknown or 'It's always been that way.' I think this is a carry-over from the Windows XP/Server 2003 days, or maybe even older, when Windows Firewall was less than desirable. WFAS in today's operating systems is very advanced, stable, and beneficial – a far cry from the days of Windows XP. If you want to stop unnecessary or malicious traffic from getting to your server, look no further than this built-in tool.

Getting ready

We are going to use two Windows Server 2019 machines for this task. We will test connectivity between the two to set our baseline and then create a rule that blocks the functions we just tested. Next, we will test again to ensure that our changes did what we expected them to, blocking the traffic that we attempt to generate. It is important to set up a baseline of tests and run those same tests following each change to ensure the rules are working exactly as you want them to.

How to do it…

If you want to stop unnecessary traffic from getting to your server, execute the following instructions:

  1. First, we want to test the existing connectivity. Log into your DC02 server. From there, I execute Test-Connection web01 in PowerShell and get a successful connection. I can also open up File Explorer and browse to \\WEB01 and see a folder shared there. This baseline test tells me that both ICMP (ping) traffic and file access are currently open and allowed by WFAS on WEB01. For the sake of this exercise, we will stop these functions from happening:

    Figure 3.1 – A successful connection to web01

  2. Log into WEB01 and open Windows Defender Firewall with Advanced Security. You can open this either from the Start screen and typing it in, or by opening a Run prompt and typing wf.msc.
  3. Inside WFAS, your two best friends when trying to control traffic are the Inbound Rules and Outbound Rules sections on the left. You need to think of inbound and outbound from the server's perspective. Inbound rules manipulate traffic that is flowing in toward your server, while outbound rules handle traffic flowing out of your server toward the rest of the network. If you click on Inbound Rules, you will see the list of preconfigured rules that exist already:

    Figure 3.2 – The Inbound Rules screen of Windows Defender Firewall

  4. First, let's make a rule to stop the ability to ping the server. Some archaic security models require this, so it's a common enough thing to implement (even if it provides little actual security). Right-click on Inbound Rules and click on New Rule….
  5. On the first screen, choose Custom. Other, more straightforward rules can be done using some of the other options on this page, but we're going to go through all the screens for now.
  6. Leave the default All programs option selected and move onto the next screen.
  7. In the Protocols and Ports screen, under Protocol type, choose ICMPv4:

    Figure 3.3 – Selecting ICMPv4 in the Protocols and Ports screen

  8. On the Scope screen, leave the options as the defaults. As you can see, if you wanted to, you could restrict this rule so that it only affects certain IP addresses.
  9. On the Action screen, ensure that you choose Block the connection:

    Figure 3.4 – Block the connection on the Actions screen

  10. For the Profile screen leave these as the defaults.
  11. On the Name screen, give your rule a descriptive name such as Block ICMP.
  12. You did it! You will see that the new rule exists and that it is immediately put into action. If you head back to your other servers, you will see that Test-Connection web01, which we ran in Step 1, now fails.

Windows Firewall can also be used to restrict which connections your server can make itself – not just which servers can connect to it. We can do this on the Outbound Rules screen. Another common rule that security teams like to enforce is to block servers from using any other DNS servers than the ones that they control. Thankfully, this is also fairly easy to implement:

  1. On WEB01, go back to Windows Defender Firewall with Advanced Security but this time, choose Outbound Rules and then New Rule….
  2. For Rule Type, select Custom.
  3. Leave the default All programs selected and move onto the next screen.
  4. For Protocols and Ports, select the TCP protocol. For Remote port, enter 53 (this is the port that DNS operates on):

    Figure 3.5 – Setting the remote port to 53 in an outbound security rule

  5. On the Scope screen, for Which remote IP addresses does this rule apply to?, choose These IP addresses and then click Add….
  6. Choose Predefined set of computers and then select Internet. Click OK:

    Figure 3.6 – Setting the predefined set of computers to Internet

  7. Click Next to move onto the Actions screen. This time, Block the connection has been chosen by default. Leave it like this.
  8. For the Profile screen, leave the options as the defaults.
  9. Give another memorable name such as Block DNS (TCP) and click Finish.

However, we're only half way done. DNS runs on both TCP and UDP over port 53. The firewall only allows us to select either TCP or UDP as the protocol – not both. So, you will need to repeat steps 1 through 9 again – but this time setting UDP as the protocol in steps 4 and 9.

As usual, that was a lot of clicking through the GUI. And, as usual, there are PowerShell one-liners that can do the exact same work:

New-NetFirewallRule -DisplayName 'Block ICMP' -Direction Inbound -Protocol ICMPv4 -Action Block

New-NetFirewallRule -DisplayName 'Block DNS (TCP)' -Direction Outbound -Protocol TCP -RemotePort 53 -RemoteAddress Internet -Action Block

New-NetFirewallRule -DisplayName 'Block DNS (UDP)' -Direction Outbound -Protocol UDP -RemotePort 53 -RemoteAddress Internet -Action Block

How it works…

We used Windows Defender Firewall with Advanced Security to create a couple of simple rules that many security departments require. These rules are put into place immediately and are very easy to generate. What is even greater is that our WFAS rules can be created centrally by making use of Group Policy so that you don't even have to touch the inpidual servers to apply connection rules to them. WFAS is very different than the Windows Firewall of 10 years ago, and if you are not making use of it, I seriously recommend that you reconsider your stance.

上一章目录下一章