Mastering Windows Firewall: Safeguarding Your Network’s Underbelly
As a seasoned IT professional, I’ve seen firsthand the critical importance of implementing robust security measures to protect Windows 10 PCs from the growing threat landscape. While organizations have traditionally focused on firewalling the network edge to stop inbound intruders, the reality is that this approach is no longer sufficient. With the rise of mobile computing and the ease of phishing users, compromising an individual device means your external shield isn’t enough. It’s time to shift our focus to preventing outbound and lateral network communications within the internal network.
In this comprehensive guide, we’ll dive deep into leveraging the advanced features of the Windows Defender Firewall to secure your Windows 10 environment and prevent unauthorized network traffic from leaving or traversing your network.
Blocking Inbound SMB Connections
By default, no version of Windows allows inbound SMB communications after setup; the built-in Windows Defender Firewall (previously called Windows Firewall) rules prevent access to TCP port 445. However, the firewall does allow outbound SMB, and if you create an SMB share, it enables the firewall rules to allow inbound SMB.
The first step in securing your network is to ensure that the inbound SMB access is blocked at the perimeter hardware firewall. This will prevent any direct access to your internal network from the internet, even for VPN-connected devices. It’s highly unlikely that you’ll need to allow any outbound SMB to the internet, unless you’re using it as part of a public cloud offering like Azure Files SMB. If that’s the case, you should restrict that outbound traffic to only the service IP ranges.
Inventorying and Auditing SMB Usage
Now that we’ve secured the network perimeter, it’s time to take a closer look at the internal SMB traffic within your network. File servers and domain controllers obviously require SMB inbound to perform their roles, but other built-in roles and features may also rely on SMB. You can use the Get-FileShares script by Sam Boutros to examine the shares on your servers and clients, and decide which ones are legitimate, no longer needed, or potentially created by rogue users.
It’s also important to enable SMB access auditing, which has been available since Windows Vista and Windows Server 2008. This will provide an audit trail of SMB inbound access, allowing you to identify which nodes are talking to which endpoints over SMB. This information can help you determine if an endpoint’s shares are truly in use or if the server has no obvious SMB customers.
Implementing Granular Firewall Policies
With the inventory of SMB usage and auditing data in hand, you can now begin crafting targeted firewall policies to restrict both inbound and outbound SMB traffic. This is a crucial step in preventing lateral movement and protecting your network from potential attacks.
Inbound SMB Restrictions
For Windows clients and servers that do not host SMB shares, you can block all inbound SMB traffic using the Windows Defender Firewall. This includes creating rules to block the following inbound traffic:
- File and Printer Sharing (SMB-In)
- Netlogon Service (NP-In)
- Remote Event Log Management (NP-In)
- Remote Service Management (NP-In)
You should also create a custom blocking rule to override any other inbound firewall rules, with the following settings:
- Name: Block all inbound SMB 445
- Description: Blocks all inbound SMB TCP 445 traffic. Not to be applied to domain controllers or computers that host SMB shares.
- Action: Block the connection
- Programs: All
- Remote Computers: Any
- Protocol Type: TCP
- Local Port: 445
- Remote Port: Any
- Profiles: All
- Scope (Local IP Address): Any
- Scope (Remote IP Address): Any
- Edge Traversal: Block edge traversal
Remember, you must not globally block inbound SMB traffic to domain controllers or file servers, as this would prevent users and applications from accessing their data. However, you can restrict access to them from trusted IP ranges and devices to lower their attack surface.
Outbound SMB Restrictions
Windows clients and servers require outbound SMB connections to apply group policy from domain controllers and for users and applications to access data on file servers. Therefore, you need to be more selective in your outbound SMB firewall rules.
For untrusted (Guest/Public) networks, create a rule to block all outbound SMB TCP 445 traffic:
- Name: Block outbound Guest/Public SMB 445
- Description: Blocks all outbound SMB TCP 445 traffic when on an untrusted network
- Action: Block the connection
- Programs: All
- Remote Computers: Any
- Protocol Type: TCP
- Local Port: Any
- Remote Port: 445
- Profiles: Guest/Public
- Scope (Local IP Address): Any
- Scope (Remote IP Address): Any
- Edge Traversal: Block edge traversal
For trusted (Private/Domain) networks, create two rules:
- Allow outbound Domain/Private SMB 445:
- Description: Allows outbound SMB TCP 445 traffic to only DCs and file servers when on a trusted network
- Action: Allow the connection if it is secure
- Customize Allow if Secure Settings: pick one of the options, set Override block rules = ON
- Programs: All
- Protocol Type: TCP
- Local Port: Any
- Remote Port: 445
- Profiles: Private/Domain
- Scope (Local IP Address): Any
-
Scope (Remote IP Address): Edge Traversal: Block edge traversal
-
Block outbound Domain/Private SMB 445:
- Description: Blocks outbound SMB TCP 445 traffic. Override by using the “Allow outbound Domain/Private SMB 445” rule
- Action: Block the connection
- Programs: All
- Remote Computers: N/A
- Protocol Type: TCP
- Local Port: Any
- Remote Port: 445
- Profiles: Private/Domain
- Scope (Local IP Address): Any
- Scope (Remote IP Address): N/A
- Edge Traversal: Block edge traversal
Important: You must use a security connection rule to implement the outbound firewall rule exceptions for the “Allow the connection if it is secure” and “Allow the connection to use null encapsulation” settings. If you do not set this rule on all Windows-based and Windows Server-based computers, authentication will fail, and SMB will be blocked outbound.
Disabling SMB Server Service for Increased Security
For consumer or highly isolated, managed computers that do not require SMB at all, you can go a step further and disable the Server or Workstation services. This will prevent the machine from making outbound SMB connections or receiving inbound SMB connections, effectively eliminating the SMB attack surface.
However, you must not disable the Server service on domain controllers or file servers, as this would prevent clients from applying group policy or connecting to their data. Similarly, you must not disable the Workstation service on computers that are members of an Active Directory domain, as this would prevent them from applying group policy.
Conclusion
Securing your Windows 10 environment goes beyond the traditional perimeter-based approach. By leveraging the advanced features of the Windows Defender Firewall, you can create granular policies to restrict both inbound and outbound SMB traffic, effectively preventing lateral movement and reducing the attack surface within your network.
Remember, the key is to start with a thorough inventory of your SMB usage, enable auditing, and then carefully craft your firewall rules to allow only the necessary and trusted connections. This layered approach, combined with disabling the SMB Server service on non-essential devices, will make your network significantly more secure and less attractive to potential attackers.
Implementing these best practices requires an investment of time and effort, but the payoff in terms of enhanced network security and protection against advanced threats is well worth it. Stay vigilant, and keep your Windows 10 environment secure with the power of the Windows Defender Firewall.
