Windows Firewall + PowerShell + Group Policy = Wonderful

Last year I did some work around putting together a group policy for the UWWI servers that restricts who can access them to the current definition of the UW Network.

Group policy allows you to define configuration settings once and apply them broadly. And what better application than the Windows Firewall rules that are so crazily detailed and finicky? Who likes to set local Windows Firewall rules? Yuck.

James Morris tipped me off that there were some PowerShell cmdlets that would help me. And he was absolutely right … there was one which really saved a massive amount of time in defining the rules that went in the GPO.

Here are some breadcrumbs that should allow you to put something similar together yourself.

The UW-IT NOC has this document defining the UW Networks: https://wiki.cac.washington.edu/display/UWNOC/IP+Address+Space+Usage

Note that includes both IPv4 and IPv6. And Windows Firewall handles both. 🙂

So then you do something like this:

PS C:\Windows\system32> $IPs = @(“128.208.0.0/16″,”128.95.0.0/16″,”140.142.0.0/16″,”198.48.64.0/19″,”205.175.96.0/19″,”69.91.128.0/17″,”173.250.128.0/17″,”108.179.128.0/18″,”172.16.0.0/12″,”10.0.0.0/8″,”2607:4000::/32″,”fd73:a9bd:11bb::/48”)

Then you create your group policy object. Let’s say I created mine in the Dogfood domain, with a name of “uwit: UWWI firewall test”.

You then do something like this:

PS C:\Windows\system32> set-netfirewallrule -DisplayName “Windows Remote Management – Compatibility Mode (HTTP-In)” -RemoteAddress $IPs -PolicyStore “dogfood.netid.washington.edu\uwit: uwwi firewall test”

This adds a firewall rule to the GPO for WinRm that restricts traffic to the IP networks in the $IPs variable.

If you pull up the GPO in the GUI, you’ll now see that firewall rule in the GPO. Nice! 🙂

The next trick is figuring out which rules you need to add, and that really depends on the box and how tight you want to configure it. On thing to consider: you might go with a course grain approach, restricting TCP & UDP & ICMP traffic, and skip the fine grain approach of delineating all the individual services.

Want to read up on the Windows Firewall with Advanced Security? See http://technet.microsoft.com/en-us/library/cc754274.aspx. If you do dig into it and go the more fine grain route, make sure you understand the Windows Service Hardening type of firewall rules. These are rules defined by the product team (or 3rd party apps/services) and can’t be removed easily. In other words, they are on every box that has the Windows Firewall service installed, and **regardless of whether you have the Windows Firewall on or off**, they exist and are active. And yes, you read that right–there are firewall rules which are active even with Windows Firewall disabled. These
Windows Service Hardening rules are designed to only allow the services to accept traffic from the network sources the service is designed for.

Leave a Reply

Your email address will not be published. Required fields are marked *

Required
Required