hardentools icon indicating copy to clipboard operation
hardentools copied to clipboard

Published 20 hours ago verified publisher icon hardentools

Firewall policies

Open obsti8383 opened this issue 6 years ago • 1 comments

Are there firewall policies that can help against common threats without breaking thing. E.g. Velocet suggested: "The Explorer leaks NTLM hashes (not in every case) and your IP (every case) via simply display a folder that does contain a specially crafted "desktop.ini": Create a new firewall rule that prevents the explorer.exe from accessing the internet..."

Another idea: I assume setting the default rule for outgoing connections to "not allow" will break lots of things (via "netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbund")?

Any experience out there?

obsti8383 avatar Aug 27 '17 10:08 obsti8383

I would suggest to block everything and only allow certain apps. In the case of explorer.exe this will break LAN connections (File Sharing, Computer Browser, etc.). To circumvent this it is possible to only allow connections to the local subnet and only if the network is "trusted" (eg: Private/Home, Domain):

netsh advfirewall firewall add rule name="Explorer (Local Subnet)" description="Local Subnet" group="HardenTools" dir=out action=allow profile=Private,Domain remoteip=localsubnet program="%SystemRoot%\explorer.exe"

I think the better way is to use PowerShell cause this seems to use WMI to create the rule and thus it is possible to set a group:

New-NetFirewallRule -DisplayName 'Explorer (Local Subnet)' -Name 'Explorer (Local Subnet)' -Description 'Local Subnet' -Direction Outbound -Action Allow -Group 'HardenTools' profile=Private,Domain -RemoteAddress localsubnet Program "$([Environment]::GetFolderPath('Windows'))\explorer.exe"

When a group is set rules become more manageable like in this example where all HardenTools rules get disabled:

netsh advfirewall firewall set rule group="HardenTools" new enable=no

I am using Windows Firewall Control from binisoft and could really recommend it. Very lightweight and it's just a frontend for the built-in firewall. Another simple (and also open source) app to manage fw rules is simplewall.

The whitelist approach is "the best" since everything gets blocked and only known applications are allowed.

Velocet avatar Sep 03 '17 13:09 Velocet