How to optimize Windows Firewall security

Windows Firewall has been enabled by default since Windows XP sp2, but I still see deployments where it is turned off because of old habits where it was difficult to determine how to allow applications through. With Windows 10 and Server 2019, most needed firewall policies are already built in and it’s relatively easy to set up access. But there can be times you should enhance the settings of the Windows firewall to better protect you from lateral movement and attackers.  Here’s what you need to know.

Build rules to binaries or executables

If an application needs a special rule, you should build it based on the binary or executable, not the port. This ensures that the firewall opens only when the application is active. If you build a firewall rule using a port, that port remains open and exposes the system. 

Identify blocked applications

Windows machines notify by default when an application is blocked. However, an IT administrator might want to use the event log to identify blocked applications rather than using the visual pop-ups in the system tray that can be easily missed. To determine which applications Windows Firewall blocks, first search the event logs for event 5031, which indicates that Windows Firewall blocked an application from accepting incoming connections on the network. Use this event to detect applications for which no Windows Firewall rules exist. 

Set up security monitoring

If you are using a security event log monitoring solution to monitor events, keep the following in mind:

• If you have a pre-defined application to perform the operation that was reported by this event, monitor events with “Application” not equal to your defined application.
• Monitor whether “Application” is not in a standard folder (for example, not in System32 or Program Files) or is in a restricted folder (for example, Temporary Internet Files).
• If you have a pre-defined list of restricted substrings or words in application names (for example, “mimikatz” or “cain.exe”), check for these substrings in “Application”.

Block PowerShell from internet access

You can use Windows Firewall to block applications accessing resources. As noted in this SANS forum post, you can block PowerShell from accessing the internet. This first rule below allows PowerShell to access a local subnet. The second rule drops traffic.

C:> netsh advfirewall firewall add rule name=“PS-Allow-LAN" dir=out  

   remoteip=localsubnet action=allow program="c:windowssystem32WindowsPowerShellv1.0powershell.exe"  

   enable=yes 

C:> netsh advfirewall firewall add rule name=“PS-Deny-All" dir=out  

   action=block program="c:windowssystem32WindowsPowerShellv1.0powershell.exe"  

   enable=yes 

This can protect your systems from attacks that leverage PowerShell to call command-and-control computers to launch ransomware and other attacks. PowerShell should not be removed but rather hardened and logged to ensure it’s used as intended.

You can also build rules for multiple versions of PowerShell:  

C:> for /R %f in (powershell*.exe) do ( netsh advfirewall firewall add rule name=“PS-Allow-LAN (%f)" dir=out remoteip=localsubnet action=allow program=“%f" enable=yes 

netsh advfirewall firewall add rule name=“PS-Deny-All (%f)" dir=out action=block program=“%f" enable=yes ) 

Susan Bradley

You’ll see the resulting rule in the outbound firewall rule settings: 

Susan Bradley

If PowerShell is intentionally made to hide itself by calling the binary from another location or by renaming itself, this process will not work. It will block attacks that target low-hanging fruit.

Set firewall rules with PowerShell

You can set firewall rules with PowerShell as documented by Microsoft. For example, to block outbound port 80 on a server, use the following PowerShell command: 

New-NetFirewallRule -DisplayName "Block Outbound Port 80" -Direction Outbound -LocalPort 80 -Protocol TCP -Action Block 

The basic properties you need to fill in are: 

• DisplayName – The friendly name of the firewall rule 
• Direction – Whether to block traffic leaving the computer (outbound) or coming into the computer (inbound) 
• Action – What action to take if the rule is met, allow or block 

You can use many PowerShell modules to better control and manage Windows Firewall. All are documented in the Netsecurity section. 

Review new Windows 10 security baselines

Don’t forget that with each version of Windows 10 Microsoft releases new security baselines. As part of the baselines they include suggested firewall policies. 

Susan Bradley

By default, inbound connections should be blocked for domain profile and private profile.

Audit settings regularly

Finally, when reviewing the security status of your network, take a random sample of workstations on a regular basis and audit their settings. Review the firewall policies on each sample workstation. I am often surprised about the applications that have built rules for themselves if I have forgotten to build blocking rules on a segment.