Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: More about the host based firewall on Windows XP SP2 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More about the host based firewall on Windows XP SP2
Two weeks ago, as part of our "Security tip of the day" series, I wrote a diary about using the host based firewall provided with Windows XP.
We received some valuable submissions about this, so it's time to share them with everyone.

One of our readers also asked why I didn't write about any other (commercial or free) third party host based firewall. While other products indeed exist, and typically have more features than the host based firewall provided with Windows XP (which, as I noted in the first diary, lacks in several things), the idea of the original diary was to give you more information about a firewall that is already available. I've found that the integrated host based firewall in Windows XP is usually underestimated (or turned off because it became a problem) in corporate environments.

Now, let's see how our readers use this firewall. Iain Taylor described how he uses GPOs to manage the host based firewall on workstations which have to share printers. Iain uses WMI filtering in GPOs, which allows him some pretty cool deployments (his WMI kung-fu was obviously on a reasonable level).
Here's Iain's e-mail:

One common requirement on business networks is printer sharing from workstations.
Unfortunately the ports used are ones that would normally be closed on all workstations as they are also used for file sharing and are a very common target of attack by all forms of crudware..

To maintain as much protection as possible, we only want to open those ports on a targeted subset of machines - i.e. those that actually both have a printer attached AND share it. To achive this we have used a conditional group policy to open File & Printer sharing ports on the machines which are sharing printers.

Putting those machines into different OUs and applying a specialised GPO with the relaxed firewall settings to them would be one solution, however keeping track of which machines require this behaviour can be challenging. Instead, we use a slighly less-well known feature of GPOs - WMI filtering. This allows the clients to execute a WMI query before deciding to activate a GPO applied to them or not. Now the firewall rules can be 'intelligently' applied, only being relaxed if the Workstation requires the feature, whilst remaining locked-down otherwise.

To achive this there are two firewall rules GPOs. One is the default (restricted) configuration, applied to all systems without filtering. The other, applied afterwards has the WMI query attached to it and contains the same settings, except for the  File and Printer sharing ports being permitted. The query itself works as follows...

select * from Win32_Printer where Local = TRUE and Shared = TRUE

Using the windows built-in 'root\CIMv2' namespace the WMI query first finds whether

the machine has a local printer & then checks whether it is shared. If both are true, then the client will apply the GPO, opening the ports. Otherwise the query returns false, the Policy is not applied & the more restrictive default policy is in play.

Ray also wrote to remind us of a nice tool that Microsoft provides: Port Reporter. This tool installs as a service and logs all TCP and UDP port activity. When used with the Port Reporter Parser tool, it provides a very nice source of information about processes that used any ports on the machine.
You can find more information about Port Reporter at http://support.microsoft.com/?id=837243.

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Riyadh April 2019

Bojan

376 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!