Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Newsletter Hub
Free Learning
Arrow right icon
timer SALE ENDS IN
0 Days
:
00 Hours
:
00 Minutes
:
00 Seconds
Arrow up icon
GO TO TOP
Windows Server 2016 Security, Certificates, and Remote Access Cookbook

You're reading from   Windows Server 2016 Security, Certificates, and Remote Access Cookbook Recipe-based guide for security, networking and PKI in Windows Server 2016

Arrow left icon
Product type Paperback
Published in Apr 2018
Publisher
ISBN-13 9781789137675
Length 138 pages
Edition 1st Edition
Concepts
Arrow right icon
Author (1):
Arrow left icon
Jordan Krause Jordan Krause
Author Profile Icon Jordan Krause
Jordan Krause
Arrow right icon
View More author details
Toc

Table of Contents (4) Chapters Close

1. Security and Networking FREE CHAPTER 2. Working with Certificates 3. Remote Access 4. Other Books You May Enjoy

Using Windows Firewall with Advanced Security to block unnecessary traffic

I encounter far too many networks with policies in place that disable the built-in Windows Firewall with Advanced Security (WFAS) by default on all of their machines. Usually, if I ask about this, the reason is either unknown or It's always been that way. I think this is a carry-over from the Windows XP/Server 2003 days, or maybe even older, when the Windows Firewall was less than desirable. Believe me when I tell you that WFAS in today's operating systems is very advanced, stable, and beneficial. If you want to stop unnecessary or malicious traffic from getting to your server, look no further than this built-in tool.

Getting ready

We are going to use two Windows Server 2016 machines for this task. We will test connectivity between the two to set our baseline and then create a rule that blocks the functions we just tested. Next, we will test again to ensure that our changes did what we expected them to, blocking the traffic that we attempt to generate. It is important to set up a baseline of tests and run those same tests following each change to ensure the rules are working exactly as you want them to.

How to do it...

If you want to stop unnecessary traffic from getting to your server, execute the following instructions:

  1. First, we want to test the existing connectivity. I log into my DC2 server, and from there I am able to successfully execute the ping web1 command and get a reply. I can also open up File Explorer and browse to \\WEB1 and see a folder shared there. This baseline test tells me that both ICMP (ping) traffic and file access are currently open and allowed by WFAS on WEB1. We want to stop these functions from happening.
  2. Log in to WEB1 and open Windows Firewall with Advanced Security. You can open this either from the Start screen and typing it in, or by opening a Run prompt and typing wf.msc.

 

  1. Inside WFAS, your two best friends when trying to control traffic are the Inbound Rules and Outbound Rules sections on the left. You need to think of Inbound and Outbound from the server's perspective. Inbound Rules manipulate traffic that is flowing in toward your server, and Outbound Rules handle traffic flowing out of your server toward the rest of the network. If you click on Inbound Rules, you will see the list of preconfigured rules that exist already.
  2. Right-click on Inbound Rules and click on New Rule....
  3. First, let's make a rule to block the file access from happening. Choose Port and on the next screen, enter the value for port TCP as 445. Then you realize that you might as well also block RDP access since that is also currently enabled. No problem! Simply comma separate these numbers as follows:
  1. Choose Block the connection.
  2. On the next screen where you choose which firewall profile the rule applies to, you can leave it set to all three checked as the default. This will ensure that the rule will apply to any NIC that has any firewall profile assigned. If you only have a single NIC on your server and it is joined to the domain, then you could get away with only selecting the domain profile if you wanted to deselect the other two. For our recipe, I'm going to leave them all checked.
  3. Type any kind of descriptive name for your rule—something like Block File and RDP Access.
  4. You did it! You will see that the new rule exists, and it is immediately put into action. If you head over to your other server, you will now find that you can no longer RDP or browse the file shares at all on WEB1.
  5. We can still successfully ping WEB1, though, and we wanted to put a stop to that as well. To stop ICMP traffic, you simply need to create another rule. This one is a little bit more complicated, though. First, go ahead and create a second Inbound Rule, and use the exact same settings that you used for your RDP file rule. You can enter anything into the Port field; it doesn't matter because we will be invalidating it in a minute, so maybe use port 445 for our example.

 

  1. Great, now you have two rules in there that are both blocking port 445. That doesn't do us much good. Right-click on the newest rule that we just created, head into Properties, and let's improve this rule a little bit.
  2. Inside the Protocols and Ports tab, drop down the Protocol type and choose ICMPv4. That's all you have to do! You have now modified this rule so that it is no longer blocking TCP port 445, but rather this rule is now blocking ICMPv4 traffic:
  1. If you log back into DC2, we no longer receive ping replies when trying to contact the WEB1 server.

Take some time to play around inside the Scope tab. This section of a WFAS rule allows you to scope the rule down so that it only applies to particular IP addresses or ranges. Maybe you only want to block file share access from a particular subnet or only for the external NIC of an edge server. Requirements like these are easy to accomplish!

How it works...

We used the Windows Firewall with Advanced Security to create a couple of simple rules to block unwanted traffic coming into our server. These rules are put into place immediately and are very easy to generate. What is even greater is that our WFAS rules can be created centrally by making use of Group Policy so that you don't even have to touch the individual servers to apply connection rules to them. WFAS is very different than the Windows Firewall of 10 years ago, and if you are not making use of it today I seriously recommend that you reconsider.

You have been reading a chapter from
Windows Server 2016 Security, Certificates, and Remote Access Cookbook
Published in: Apr 2018
Publisher:
ISBN-13: 9781789137675
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image