Project helping to setup Windows Firewall to block Outbound traffic by default and manage the Allow-rules.
- Configure Windows Firewall to block Outbound traffic by default and setup needed Auditing to detect what is getting blocked
- Manage block/unblock not by rules, but by Entities like Program, Service, App.
- Manage the Custom firewall Allow-rules by desired state config files
- Identify what Entity is being blocked and create applyable config files to create needed rules to unblock the traffic. By default unblock all destinations, ports and protocols for an Entity.
- Maintain Common config with standard Allow-rules in categories
- Detect changes in the Firewall rules and report what is changed and what is the impact (Snapshot baseline files are created)
- To be able to compare current rules vs Baseline file of previous rules state
- Restrict Windows services communication
- Create rules in a way that they are not modifyable by standard tools
Note: Windows Firewall claims to support rules based on Service, but they do not seem to be working. Windows can differenciate between services using same executable (like svchost.exe) by checking PID and service token, if Service's SID is not of type NONE (https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure). Anyway Windows Firewall Rules do not recogcnize the traffic, so blocking in this project is by Program (exe path) and all Windows services use same executable.
- PowerShell Core 7 (https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-windows?view=powershell-7.4)
- PowerShell Core Terminal with Administrator priveleges
On high level steps to setup and manage the Outbound Firewall are:
- (Optional) Create Rules by using Common rules config part of the project
- Enable Firewall Outbound blocking and Audit events to track what is blocked
- Analyze Audit events and create own Custom rules for the machine
- Apply the own custom rules
- If something is not yet working go back to Analyze Audit events step
When software is being installed it can crate Allow-rules. To make sure that is not the case:
- Update Baseline snapshot of the Rules before installation
- (Optional) Enable Deny-all outbound rule
- Install software
- Compare current state with Baseline
- Disable any rules added by the installer
- (Optional) Disble Deny-all outbound rule
List of Cmdlets are available in helper.ps1. Script is not intended to be run, but specific lines to be executed or copy-pased. Open the script with IDE (VSCode) in Administrator mode and use "Run selection" (F8) to run currently selected code.
Config for a rule generated by the project looks like the row below.
{
"Description": "Product: Google Update. FileDescription: Google Installer. Associated services: gupdate, gupdatem. ",
"Program": "c:\\program files (x86)\\google\\update\\googleupdate.exe"
}Keys from this config are put on top of default Parameter values and are passed to Cmdlet creating Firewall rules.
Default parameter values are:
CommonParams = @{
Enabled = "True"
PolicyStore = "PersistentStore"
Direction = "Outbound"
Action = "Allow"
Group = "AFirewallHelper"
Profile = "Any"
LocalAddress = "Any"
LocalPort = "Any"
Protocol = "Any"
RemoteAddress = "Any"
RemotePort = "Any"
Description = "Rule Created by Firewall Helper script"
}And any of them can be overwrten in the config. If DisplayName of the rule is not defined it will be set by code:
# create DisplayName
if (-not $params.DisplayName) {
if ($params.Program) {
$params.DisplayName = "FH-" + (Covert-FHStringToSha1 -InputString $params.Program) + "-" + ($params.Program -split '\\')[-1]
}
if ($params.Service) {
$params.DisplayName = "FH-$($params.Service)"
}
if ($params.Package) {
Write-Error -Message "Package rules must have DisplayName property. Skip." -ErrorAction Continue
continue
}
}
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent