steveunderscoren / windowsfirewall Goto Github PK

PowerShell scripts/GUI tools for the enterprise to harden Windows Defender Firewall via group policy (GPO). These can be used to enforce network level application whitelisting and strengthen the security posture of devices to defend against attacks such as software supply chain and can be used with privileged access workstations (PAW).

License: GNU General Public License v3.0

PowerShell 100.00%

application-whitelisting baseline domain-firewall egress-filtering enterprise firewall firewall-policies gpo group-policy gui paw powershell-script privileged-access-workstations security-hardening windows-firewall

windowsfirewall's People

Contributors

Stargazers

Watchers

Forkers

jeffstokes72 p0nley astuk sundaresanss rodcordeiro rajeevyadav secretsurfer gunaydev powershellnetadmin emanuelteiko

windowsfirewall's Issues

Setting the 'Package' option to 'Any' results in the firewall rule not being applied.

Using any of the following;
-Package 'Any'
-Package ''
-Package $null
Results in an invalid registry key and the firewall rule is not applied to the active store.
E.g. the following valid partial key;
….|App=%SystemRoot%\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe|Name=EDGE
(TCP-Out)|AppPkgId=S-1-15-2-3624051433...…|EmbedCtxt=OutboundWebServers|
Would become the following valid key when changed via the GUI;
….|App=%SystemRoot%\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe|Name=EDGE
(TCP-Out)|EmbedCtxt=OutboundWebServers|
But when changed with any of the above methods (or even set at the CIM level) in PowerShell it becomes the invalid;
….|App=%SystemRoot%\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe|Name=EDGE
(TCP-Out)|AppPkgId=|EmbedCtxt=OutboundWebServers|
The erroneous 'AppPkgId=|' results in the rule being ignored by the firewall service with a status of 'NoLocalUser'.

Blocked connections since version 0.7.x

Blocks with version 0.7.0 policies applied - Tier X firewall baseline
#######
Application Information:
Process ID: 2624
Application Name: \device\harddiskvolume4\windows\system32\speech_onecore\common\speechruntime.exe

Network Information:
Direction: Outbound
Source Address: 1.2.3.160
Source Port: 60736
Destination Address: 52.138.216.83
Destination Port: 443
Protocol: 6

Application Information:
Process ID: 4900
Application Name: \device\harddiskvolume4\windows\system32\mmc.exe

Network Information:
Direction: Outbound
Source Address: 1.2.3.160
Source Port: 57336
Destination Address: 1.2.3.1
Destination Port: 53
Protocol: 17

Application Name: \device\harddiskvolume4\windows\system32\dmclient.exe

Network Information:
Direction: Outbound
Source Address: 1.2.3.160
Source Port: 62830
Destination Address: 52.138.216.83
Destination Port: 443
Protocol: 6

Application Information:
Process ID: 8380
Application Name: \device\harddiskvolume4\windows\system32\apphostregistrationverifier.exe

Network Information:
Direction: Outbound
Source Address: fdfd:fdfd:fdfd:0:49a5:ded6:b713:2f66
Source Port: 51423
Destination Address: fdfd:fdfd:fdfd::4
Destination Port: 8080
Protocol: 6

########

Blocks with version 0.7.0 policies applied - Domain firewall baseline
########
Application Information:
Process ID: 3968 Push notification
Application Name: \device\harddiskvolume4\windows\system32\svchost.exe

Network Information:
Direction: Outbound
Source Address: 1.2.3.160
Source Port: 60605
Destination Address: 52.170.194.77 and 52.179.13.204
Destination Port: 443
Protocol: 6

steveunderscoren / windowsfirewall Goto Github PK

windowsfirewall's People

Contributors

Stargazers

Watchers

Forkers

windowsfirewall's Issues

Setting the 'Package' option to 'Any' results in the firewall rule not being applied.

Blocked connections since version 0.7.x

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent