Understanding the Importance of Firewall Protection
In today’s digital landscape, where cyber threats are constantly evolving, securing your Windows 10 PC is of utmost importance. While the perimeter-based security approach has traditionally focused on protecting the network edge, the rise of mobile computing and the ease of user-targeted attacks have made it crucial to delve deeper into securing the inner workings of your network.
The Windows Defender Firewall, included in every Windows machine, is a powerful tool that can help you fortify your system against unauthorized access and malicious traffic. By leveraging the advanced firewall settings and implementing comprehensive network monitoring policies, you can significantly enhance the security of your Windows 10 PC and mitigate the risk of data breaches, lateral movement, and other cyber attacks.
Blocking Inbound SMB Traffic
One of the primary steps in securing your Windows 10 PC is to block inbound Server Message Block (SMB) traffic. SMB is a widely used network file sharing protocol, and it can be a prime target for attackers. By default, the Windows Defender Firewall blocks inbound SMB traffic (TCP port 445) from the internet, but it allows outbound SMB connections.
To further tighten the security, you should create a new firewall rule to block all inbound SMB traffic, regardless of the network profile (Domain, Private, or Public). This rule can be applied to Windows clients and servers that do not host SMB shares, effectively preventing remote connections from malicious or compromised devices.
Name: Block all inbound SMB 445
Description: Blocks all inbound SMB TCP 445 traffic. Not to be applied to domain controllers or computers that host SMB shares.
Action: Block the connection
Programs: All
Remote Computers: Any
Protocol Type: TCP
Local Port: 445
Remote Port: Any
Profiles: All
Scope (Local IP Address): Any
Scope (Remote IP Address): Any
Edge Traversal: Block edge traversal
It’s important to note that you should not apply this rule to domain controllers or file servers, as they require inbound SMB traffic to perform their essential functions. Instead, you can restrict access to these critical systems from trusted IP ranges and devices to lower their attack surface.
Controlling Outbound SMB Connections
While blocking inbound SMB traffic is crucial, you also need to control outbound SMB connections to prevent lateral movement and data exfiltration within your network. By default, Windows clients and servers have no restrictions on outbound SMB connections, so you’ll need to create new firewall rules to address this.
For untrusted (Guest/Public) networks, you can create a rule to block all outbound SMB traffic (TCP port 445):
Name: Block outbound Guest/Public SMB 445
Description: Blocks all outbound SMB TCP 445 traffic when on an untrusted network
Action: Block the connection
Programs: All
Remote Computers: Any
Protocol Type: TCP
Local Port: Any
Remote Port: 445
Profiles: Guest/Public
Scope (Local IP Address): Any
Scope (Remote IP Address): Any
Edge Traversal: Block edge traversal
For trusted (Private/Domain) networks, you can create two rules:
-
Allow outbound SMB to domain controllers and file servers:
Name: Allow outbound Domain/Private SMB 445
Description: Allows outbound SMB TCP 445 traffic to only DCs and file servers when on a trusted network
Action: Allow the connection if it is secure
Customize Allow if Secure Settings: pick one of the options, set Override block rules = ON
Programs: All
Protocol Type: TCP
Local Port: Any
Remote Port: 445
Profiles: Private/Domain
Scope (Local IP Address): Any
Scope (Remote IP Address): Edge Traversal: Block edge traversal -
Block all other outbound SMB connections:
Name: Block outbound Domain/Private SMB 445
Description: Blocks outbound SMB TCP 445 traffic. Override by using the "Allow outbound Domain/Private SMB 445" rule
Action: Block the connection
Programs: All
Remote Computers: N/A
Protocol Type: TCP
Local Port: Any
Remote Port: 445
Profiles: Private/Domain
Scope (Local IP Address): Any
Scope (Remote IP Address): N/A
Edge Traversal: Block edge traversal
Remember, you must also create a security connection rule to implement the “Allow the connection if it is secure” and “Allow the connection to use null encapsulation” settings. If you do not set this rule on all Windows-based and Windows Server-based computers, authentication will fail, and SMB will be blocked outbound.
Disabling SMB Server Service for Enhanced Security
For consumer or highly isolated, managed computers that do not require SMB at all, you can take an even more proactive approach by disabling the Server or Workstation services. This effectively prevents the system from making outbound SMB connections or receiving inbound SMB traffic.
To do this, you can use the “Services” snap-in (Services.msc) or the PowerShell Set-Service cmdlet. However, it’s crucial to note that you must not disable these services on domain controllers or file servers, as it would prevent clients from applying group policy or connecting to their data.
Monitoring and Auditing SMB Activity
To gain visibility into your SMB activity and identify any potential anomalies, you can enable SMB auditing on your Windows devices. This feature, available since Windows Vista and Windows Server 2008, allows you to track inbound SMB access and create an audit trail.
To enable SMB auditing, you can configure the following Group Policy settings:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit File Share
This audit trail can help you understand which nodes are communicating over SMB, allowing you to identify unused or suspicious shares and take appropriate action to mitigate the risks.
Comprehensive Firewall and Network Monitoring Strategy
Securing your Windows 10 PC requires a comprehensive approach that goes beyond just blocking inbound SMB traffic. By implementing a layered security strategy that includes advanced firewall rules, disabling unnecessary SMB services, and monitoring SMB activity, you can significantly enhance the overall security of your system and network.
Remember, securing your Windows 10 PC is an ongoing process, as cyber threats are constantly evolving. Regularly review and update your firewall and network monitoring policies to stay ahead of the curve and protect your valuable data and resources.
For more information on Windows Defender Firewall configuration and advanced security strategies, be sure to visit the ITFix blog for additional resources and expert insights.
