It is possible to leverage tools such as AppSense Environment Manager (part of the AppSense DesktopNow suite) or even launcher scripts to add Windows firewall rules on demand. This will reduce the attack surface of your systems but also makes it difficult to scan for vulnerable end-points on your network since if you would like to scan an end-point you will need to have run every app with a firewall rule.
Process Start/Application Launch Action
In order to ensure the firewall rule is only applied when required the actions will be placed on a process start/application launch action.
For the sake of this example I will be using Notepad.exe as the process to hook our actions to.
Since there is no native action to add firewall rules in AppSense Environment Manager Policy we will be running a Custom Execute action
We simply run a command line action to add a firewall rule
Add firewall rule
Enter execute action
|Parameters||advfirewall firewall add rule name=”Disallow Notepad notepad.exe” dir=in action=block program=”C:\Windows\System32\notepad.exe” enable=yes profile=domain|
We also need to elevate the command to SYSTEM since a user usually does not have permission to add firewall rules
It is also good practice to ensure there is a meaningful name for each action
However at this point we are not done, if the rule is applied as is you will find the same rule is applied every time notepad is launched.
In order to prevent this we could use a Run Once Per Session
condition, however this would still result in multiple instances of the firewall rule as a new rule would be added for every separate user session (i.e. every time you log out and back in). Similarly on a Remote Desktop Services (Terminal Server) session each user will create a firewall rule.
To get around this issue we simply create a flag in the machine registry, I would recommend having a dedicated key to store all of your configuration keys in this case HKLM\Software\ConfigMonkey.
Check for Firewall flag
Check if registry value exists
Add a condition to check if the Flag key exists
|Use Default Value||UNCHECKED|
|Comparison||Does Not Exist|
Create registry flag key
IF the key does not exist create the flag value.
Create a registry key
Run as: SYSTEM
Create registry flag value
Run as: SYSTEM