Windows Firewall is a crucial Windows feature that is often neglected and only looked at when additional ports need to be opened for new software. However, the recent Outlook vulnerability (CVE-2023-23397) highlighted that relying solely on network firewalls for protection can be risky, as assessing and configuring the hundreds of network firewalls in an organization can be a challenging task. In this article, we will discuss the importance of Windows Firewall and how organizations can leverage it to create a robust first line of defense.
By default, Windows Firewall assumes that threats to an organization originate externally, and thus blocks connections to Windows devices unless they are specifically permitted, while outgoing connections are permitted unless they are specifically blocked. However, in the case of CVE-2023-23397, a malicious email downloaded to Outlook creates a TCP/445 connection from the device to the attacker’s server, which originates from the device itself and is not blocked by Windows Firewall by default. This is just one example of how attackers can exploit default Windows Firewall configurations, emphasizing the need for cybersecurity engineers to be familiar with and harden Windows Firewall configurations.
What Windows Firewall offers
Windows Firewall allows us to configure rules for specific Programs/Services using Protocol type and Port number, a combination of both, or predefined rules. During rule creation, we can also specify which IP destinations are included or excluded from the rule, allowing us to limit communication to a specific group of devices, among other things.
Focusing on securing the Domain profile in Windows Firewall, by default, a firewall rule called Core Networking - Group Policy (NP-Out) allows TCP/445 connections to any destination, relying on traditional network firewalls to secure the perimeter. However, a quick and easy solution is to modify the rule so that SMB connections are only allowed to networks containing domain controllers, file servers, and printing infrastructure. After doing so, configure the domain profile of Windows Firewall to block all outgoing connections, keeping in mind that there is no default rule to allow outgoing ICMP traffic.
In conclusion, this article has highlighted the importance and impact of Windows Firewall, a feature that offers many features often overlooked by organizations. Hardening Windows Firewall configurations can be challenging, especially in environments with many applications, but the benefits of doing so can be immense. Windows Firewall can serve as a strong first line of defense in a cybersecurity strategy, and organizations should take advantage of its capabilities to enhance their overall security posture.