Adding Firewall Rules On Demand

It is possible to leverage tools such as AppSense Environment Manager (part of the AppSense DesktopNow suite) or even launcher scripts to add Windows firewall rules on demand. This will reduce the attack surface of your systems but also makes it difficult to scan for vulnerable end-points on your network since if you would like to scan an end-point you will need to have run every app with a firewall rule.

Process Start/Application Launch Action

In order to ensure the firewall rule is only applied when required the actions will be placed on a process start/application launch action.

For the sake of this example I will be using Notepad.exe as the process to hook our actions to.

Since there is no native action to add firewall rules in AppSense Environment Manager Policy we will be running a Custom Execute action

We simply run a command line action to add a firewall rule

Add firewall rule

Enter execute action


Filename %SystemRoot%\System32\netsh.exe
Working Directory %SystemRoot%\System32
Parameters advfirewall firewall add rule name=”Disallow Notepad notepad.exe” dir=in action=block program=”C:\Windows\System32\notepad.exe” enable=yes profile=domain

We also need to elevate the command to SYSTEM since a user usually does not have permission to add firewall rules

Run as

It is also good practice to ensure there is a meaningful name for each action

However at this point we are not done, if the rule is applied as is you will find the same rule is applied every time notepad is launched.

In order to prevent this we could use a Run Once Per Session
condition, however this would still result in multiple instances of the firewall rule as a new rule would be added for every separate user session (i.e. every time you log out and back in). Similarly on a Remote Desktop Services (Terminal Server) session each user will create a firewall rule.

To get around this issue we simply create a flag in the machine registry, I would recommend having a dedicated key to store all of your configuration keys in this case HKLM\Software\ConfigMonkey.

Check for Firewall flag

Check if registry value exists

Add a condition to check if the Flag key exists

Hive HKEY_LOCAL_MACHINE
Key SOFTWARE\ConfigMonkey\Notepad
Use Default Value UNCHECKED
Value name FirewallRulesAdded
Value type REG_DWORD
Comparison Does Not Exist

Create registry flag key

IF the key does not exist create the flag value.

Create a registry key

Main Key HKEY_LOCAL_MACHINE
Sub key SOFTWARE\ConfigMonkey\Notepad

Run as: SYSTEM



Create registry flag value


Hive HKEY_LOCAL_MACHINE
Key SOFTWARE\ConfigMonkey\Notepad
Value name FirewallRulesAdded
Value type REG_DWORD
Comparison Equal To
Value 00000001 (Hex)

Run as: SYSTEM



Summary


Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s