Windows Firewall Part 1: The Basics & Securing Clients

Part 1 of this series will go over the basic configuration of the Windows Firewall via Group Policy on client endpoints, and go in-depth into a few specific topics that will be referenced/reused in later posts.

Overview

In the majority of cases, clients should be able to be secured by allowing outbound traffic by default, blocking inbound traffic by default, and explicitly allowing any necessary inbound traffic for remote management purposes. Except in the cases of specialized software or hardware, there shouldn’t be a need to open any ports on clients that are generally open from anything, i.e., clients shouldn’t be making services available to other endpoints. Let’s start by taking a look at the firewall on a stock Windows 10 installation:

Windows 10 Stock Firewall

There’s a great deal of rules that come preloaded; but most if not all of them are unnecessary. Most of these are application-specific rules that are created by default.

Basic Client Configuration

To begin, create a new Group Policy Object linked to the top-level client OU, and edit the Windows Firewall section under “Computer Configuration\Policies\Windows Settings\Security Settings”.

Windows Firewall within a GPO

After opening Properties for Windows Firewall, configure each firewall profile to enable the firewall, block inbound connections, and allow outbound connections.

Windows Firewall Properties – Domain Profile

Next, customize the settings for each profile to prevent locally configured rules from applying. This will ensure that all firewall rules must be defined via Group Policy, and prevent rules created locally even by an administrator from applying. These settings can be accessed by clicking “Customize” in the “Settings” section for each profile.

Customizing Settings for the Domain Profile

Next, create a new rule via the wizard to allow inbound ICMP echo requests for troubleshooting purposes. Right-click Inbound Rules, click New Rule, and select Custom.

New Inbound Rule Wizard

Select All Programs, click Next, select ICMPv4 under Protocol Type, and click Customize. In the customization dialog, select Specific ICMP Types, and then select Echo Request.

Customize ICMP Settings Dialog

Click OK, then accept the defaults for Scope, Action, and Profile, then give the rule a useful name, such as “Allow Inbound ICMP Echo Request”.

Newly Created Firewall Rule

Next, create a rule to allow remote SMB access for remote management purposes. This time, use PowerShell to create the rule directly in the GPO using the New-NetFirewallRule cmdlet, replacing the parameter values below as necessary.

Further documentation for the New-NetFirewallRule cmdlet can be found on the Microsoft Docs site. Using PowerShell can make it much easier/quicker to create many rules, such as additional rules for other remote management purposes, such as WinRM, remote WMI access, etc.

Summary

At this point, the most vulnerable endpoints are now drastically more secure. If a client is compromised, there won’t be any ability for it to pivot to other client endpoints and cause further compromise, nor can local firewall rules be created to provide a “backdoor”.