Windows Firewall Applied. Rob Vinson ISPO Security Architect Dan Metzler ITS-EI Windows Systems Architect



Similar documents
LOOK BEHIND THE SCENES: WINDOWS SERVER 2012 FIREWALL AT VOLKSWAGEN AG

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

WORKING WITH WINDOWS FIREWALL IN WINDOWS 7

Windows Firewall with Advanced Security Step-by-Step Guide - Deploying Firewall Policies

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Installing and Configuring Active Directory Agent

ms-help://ms.technet.2005mar.1033/security/tnoffline/security/smbiz/winxp/fwgrppol...

F-SECURE MESSAGING SECURITY GATEWAY

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

Securing Networks with PIX and ASA

Configure ISE Version 1.4 Posture with Microsoft WSUS

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

Lab Configure and Test Advanced Protocol Handling on the Cisco PIX Security Appliance

Windows Firewall Exceptions Configuring Windows Firewall Exceptions for Docusnap

Secure Web Appliance. SSL Intercept

Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led

Managing Windows Environments with Group Policy

Proxies. Chapter 4. Network & Security Gildas Avoine

Microsoft. Jump Start. M11: Implementing Active Directory Domain Services

RSA Security Analytics

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

DC Agent Troubleshooting

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Step-by-Step Guide for Microsoft Advanced Group Policy Management 4.0

Cisco AnyConnect Secure Mobility Solution Guide

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

Filtering remote users with Websense remote filtering software v7.6

Understanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network

Installation Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

Configuring Windows Server 2008 Active Directory

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

411-Administering Windows Server 2012

Configure a Microsoft Windows Workstation Internal IP Stateful Firewall

R4: Configuring Windows Server 2008 Active Directory

Source-Connect Network Configuration Last updated May 2009

The safer, easier way to help you pass any IT exams. Exam : Installing and Configuring Windows Server 2012 R2.

WolfTech Active Directory: Diagnostic Tools

Overview - Using ADAMS With a Firewall

50255: Managing Windows Environments with Group Policy

DMZ Network Visibility with Wireshark June 15, 2010

Overview - Using ADAMS With a Firewall

Nagios XI Monitoring Windows Using WMI

Transparent Identification of Users

6445A - Implementing and Administering Windows Small Business Server 2008

CRESTRON-APP-ANDROID Control App for Android

Integrated Cisco Products

Remote Access Technical Guide To Setting up RADIUS

6445A - Implementing and Administering Small Business Server 2008

WolfTech Active Directory: SCCM 101

Network Security. Network Packet Analysis

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

70-685: Enterprise Desktop Support Technician

Barracuda Link Balancer Administrator s Guide

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

Configuration Guide BES12. Version 12.2

Using DC Agent for Transparent User Identification

Network setup and troubleshooting

Barracuda Networks Web Application Firewall

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

Exam : Administrating Windows Server 2012 R2. Course Overview

How To Set Up A Network Map In Linux On A Ubuntu 2.5 (Amd64) On A Raspberry Mobi) On An Ubuntu (Amd66) On Ubuntu 4.5 On A Windows Box

INTRODUCTION TO FIREWALL SECURITY

HP Device Manager 4.6

How To Make A Backdoor On Windows Server From A Remote Computer From A Command Prompt On A Windows 2 Computer (Windows) On A Pc Or Ipad (Windows 2) On An Ipad Or Ipa (Windows 3) On Your Pc Or

ILTA HANDS ON Securing Windows 7

8. Firewall Design & Implementation

TheGreenBow IPsec VPN Client. Configuration Guide Cisco RV325 v1. Website: Contact:

Lab Configure IOS Firewall IDS

Connection and Printer Setup Guide

Windows 7, Enterprise Desktop Support Technician

Administering Windows Server 2012

Passive Vulnerability Detection

LT Auditor Windows Assessment SP1 Installation & Configuration Guide

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Implementing and Managing Security for Network Communications

Active Directory Manager Pro Quick start Guide

Fundamentals, Security, and the Managed Desktop

Introduction to Endpoint Security

This chapter describes how to set up and manage VPN service in Mac OS X Server.

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

How To Configure SSL VPN in Cyberoam

PRINTER SECURITY AUDIT: THE UNIVERSITY OF VIRGINIA. Kevin Savoy, CPA, CISA, CISSP Brian Daniels, CISA, GCFA

Configuration Guide BES12. Version 12.1

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Application Note. Onsight Connect Network Requirements v6.3

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Network Security. Windows 2012 Server. Securing Your Windows. Infrastructure. Network Systems and. Derrick Rountree. Richard Hicks, Technical Editor

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Websense Certified Engineer Web Security Professional Examination Specification

Outpost Network Security

This module explains how to configure and troubleshoot DNS, including DNS replication and caching.

Administering Windows Server 2012

HONE: Correlating Host activities to Network communications to produce insight

Installing and Trouble-Shooting SmartSystems

Transcription:

Windows Firewall Applied Rob Vinson ISPO Security Architect Dan Metzler ITS-EI Windows Systems Architect March 2012

Agenda Basic concepts a quick review Firewall Profiles Network Location Awareness (NLA) Rule generation and validation March 2012

Stateful Firewall - Basics Rules are for the traffic that initiates a connection/session Subsequent traffic belonging to that connection/session is allowed through Example allow rule for HTTP: 10.0.0.1 10.0.0.2:80 The response traffic 10.0.0.2:80 10.0.0.1 is automatically allowed March 2012

Application Firewall - Basics Based on the application/program creating the network communication socket. Example allow rule: any instant_messenger.exe Allows any host to communicate to ports opened by instant_messenger.exe March 2012

Profiles Allow different firewall rules to be applied in different environments Domain Corporate Environment Private Trusted/home network Public Coffee Shops, Airport, etc. March 2012

Settings - Profiles Allow outbound connections by default. Inbound connections are allowed if there is an allow rule that matches the connection Public profile Network discovery is off March 2012

How Profiles are Chosen Network Location Awareness (NLA) Domain Profile Computer can reach Domain Controller Private/Public Profiles Pop-up window asks which to apply More info: http://blogs.technet.com/b/networking/archive/2010/09/08/networklocation-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx March 2012

Rule Development - Tools Command line: netstat noa Sysinternals - http://technet.microsoft.com/enus/sysinternals/bb842062 TCPView Process Monitor March 2012

Rule Validation Verify that you can get an open port when you should, and don t when you shouldn t. Tools: Logs, netcat, nmap (port scanners), telnet, web browser, etc. March 2012

Demo March 2012

Windows Firewall GPO

Agenda Managing Firewall GPOs Tools Concepts Troubleshooting Tools Things to Think About Strategy

Managing Firewall GPOs Tools

Tools Group Policy Management Console (GPMC) Group Policy Editor (GPEdit) NetSH Powershell

NetSH (local and GPO)

Powershell GroupPolicy Module Import-module GroupPolicy New-GPO New-gplink Set-gppermissions Netsh Get-gpregistryvalue Set-gpregistryvalue Remove-gpregistryvalue $stream = [System.IO.StreamWriter] netshinput.txt $stream.writeline( advfirewall ) $stream.writeline( set store gpo= + $domainfqdn + \ + $gponame) $stream.writeline( import myfirewallsettings.wfw ) $stream.writeline( exit ) $stream.close() Get-content netshinput.txt netsh

Managing Firewall GPOs Some Concepts

GPO Processing Order Local GPO Site Domain OU (Top to Bottom)

GPO Processing Some settings overwrite Some settings accumulate

Filtering Computer Group only certain groups have permissions to apply the GPO WMI - If the filter evaluates to true the GPO applies Examples Certain OS versions SELECT Version FROM Win32_OperatingSystem WHERE Version >= "6" Certain Server Features installed SELECT Name FROM Win32_ServerFeature WHERE Name = "Web Server (IIS) Certain Program Installed SELECT Name FROM Win32_Product WHERE Name = "Cisco AnyConnect VPN Client"

Local GPO and Local Settings If you don t block these, Domain GPO firewall rules and local settings are cumulative. If you want to prevent Domain GPOs from being overridden, then you have to block local settings and local GPO processing. Warning: This significantly impacts the the number of rules required in Domain GPOs.

Must Have Rules

Firewall Rule Precedence Authentication Bypass Block Rule Allow Rule Default Rule

Troubleshooting

Netstat

Firewall logging

Event Viewer

Event Viewer (Cont.)

Event Viewer (Cont.)

Event Viewer (Cont.)

Packet Sniffing (Netmon and Wireshark)

Windows Firewall with Advanced Security Snap-in

Things to Think About

It s A Balance? Security requirements tend to drive the need for restricting traffic with firewall rules. Software requirements drive the need allow traffic through the firewall.

Part of Software Deployment Installation time is when the firewall rule change happens. Vendor documentation is sparse with regard to firewall requirements Common statements Allow the following ports both ways: x,y,z Application uses the following ports both TCP and UDP: x,y,z

Who Manages The Rules? Typically those who have admin permissions are likely the group that installs software. Often the owner, (not necessarily the user of the computer), determines who has admin rights, and who controls firewall rules. Security office implements policy that often dictates rules. Auditors may need to audit rules on occasion.

Strategy Level Of Control

Loose Management Scenario Environment End user has admin rights to the computer. End user often installs software Software installs often open up rules in the process of installing. IT only might add a few rules through GPO

Strict Management Scenario 1 Environment Users don t have admin permissions: IT controls local firewall settings IT controls local gpo settings. Users request software not firewall settings. IT might use GPOs or just manage settings locally.

Strict Management Scenario 2 Environment Users have admin permissions: IT wants to manage firewall rules centrally. Users need to request firewall rules. IT must use GPOs in this situation. Disable local firewall settings Disable local GPO processing

Strategy Level Of Security

Default Security Inbound Default rule: Block Outbound Default rule: Allow Only Inbound exceptions must be defined.

High Security/High Maintenance Inbound Default rule: Block Outbound Default rule: Block All exceptions must be defined.

Account For Your Environment Inbound Exception Rules Program or Service Protocol Local Ports Remote Address Scope (Any, Campus, Trusted Nets) Outbound Exception Rules (High Security) Program or Service Protocol Remote Ports (maybe) Remote Address Scope (Any, Campus, Trusted Nets)

Questions?