New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Firewall policies #35
Comments
I would suggest to block everything and only allow certain apps. In the case of explorer.exe this will break LAN connections (File Sharing, Computer Browser, etc.). To circumvent this it is possible to only allow connections to the local subnet and only if the network is "trusted" (eg: Private/Home, Domain): netsh advfirewall firewall add rule name="Explorer (Local Subnet)" description="Local Subnet" group="HardenTools" dir=out action=allow profile=Private,Domain remoteip=localsubnet program="%SystemRoot%\explorer.exe" I think the better way is to use PowerShell cause this seems to use WMI to create the rule and thus it is possible to set a group: New-NetFirewallRule -DisplayName 'Explorer (Local Subnet)' -Name 'Explorer (Local Subnet)' -Description 'Local Subnet' -Direction Outbound -Action Allow -Group 'HardenTools' profile=Private,Domain -RemoteAddress localsubnet Program "$([Environment]::GetFolderPath('Windows'))\explorer.exe" When a group is set rules become more manageable like in this example where all HardenTools rules get disabled: netsh advfirewall firewall set rule group="HardenTools" new enable=no I am using Windows Firewall Control from binisoft and could really recommend it. Very lightweight and it's just a frontend for the built-in firewall. Another simple (and also open source) app to manage fw rules is simplewall. The whitelist approach is "the best" since everything gets blocked and only known applications are allowed. |
Are there firewall policies that can help against common threats without breaking thing. E.g. Velocet suggested:
"The Explorer leaks NTLM hashes (not in every case) and your IP (every case) via simply display a folder that does contain a specially crafted "desktop.ini": Create a new firewall rule that prevents the explorer.exe from accessing the internet..."
Another idea:
I assume setting the default rule for outgoing connections to "not allow" will break lots of things (via "netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbund")?
Any experience out there?
The text was updated successfully, but these errors were encountered: