**This is an old revision of the document!**

It's a matter of fact that modern computer systems are insecure - viruses, malicious actors, Trojan programs, etc. are always trying to breach into our systems using known and yet unpublished bugs in OS and services. MS Windows has a long history of security flows and vulnerabilities, more than hundred bugs are discovered each year in the system. You may install a honeypot from this nice list and assign it a white IP to get an idea of how aggressive are attempts of breaching into your system.

If you think that your rigs are protected by your NAT1) router then think twice (credits arstechnica.com): 

(11/29/2018) More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday... As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports.

If you are interesting in security of computer systems then I would recommend you to learn how to use Nmap network scanner or/and OpenVAS tools. Who knows, may be you'll find a new bug in MS products and earn $100,000 by submitting the bug report to MS bounty program.

Configuring Windows Defender Firewall

Unfortunately, a computer connected by Ethernet2) cable to a network can't be 100% secured, there is always a risk of being compromised, but we may lower the risk by protecting our system by the mean of Windows Defender Firewall3)

Consider the quote below (credits rackspace.com Best practices for firewall rules configuration): 

Block all traffic by default and explicitly allow only specific traffic to known services. This strategy provides good control over the traffic and reduces the possibility of a breach because of service misconfiguration.

I'm totally agree with it. We'll configure windows firewall in exactly the same way - block all inbound connections and add rules for allowing selected services to be able accept incoming packets. Note: services such as TeamViewer, RDP, etc. will be not affected, they will continue working as before.

You may configure Windows Firewall either manually by following this how-to or by running the script ConfigureFirewall.bat

Blocking inbound connections

STEP 1. Open firewall control panel

1. Press WINLOGO+S to open search dialog.

2. Type firewall into the search box.

3. Click the Check firewall status item

Firewall

attachmentfirewall_00.pdn

STEP 2. Verify firewall status

4. Be sure that firewall is ON for all of your networks.

5. Use the Turn Windows Defender Firewall on or off control panel if firewall is off for some of your networks.

Firewall

attachmentfirewall_01.pdn

STEP 3. Open Advanced Settings panel

6. Click the Advanced settings menu item.

Firewall

attachmentfirewall_02.pdn

STEP 4. Verify default policy

7. Each Profile should be configured as follows: 

Windows Defender Firewall is on.
Inbound connections that do not match a rule are blocked.
Outbound connections that do not match a rule are allowed.

8. If your configuration differs from the above settings, then click the Windows Defender Firewall property label to call the configuration dialog and follow clauses 9 and 10. If it's OK, the jump to STEP 5

Firewall

attachmentfirewall_03.pdn

9. Click each profile's tab and configure the State fields as follows: 

Firewall state: On (recommended)
Inbound connections: Block(default)
Outbound connections: Allow (default)

10. If your configuration differs from the above settings, then click the Windows Defender Firewall property label to call the configuration dialog.

Firewall

attachmentfirewall_04.pdn

STEP 5. Backup firewall configuration

I recommend to save your current firewall configuration into a file. You'll be able to undo all of your changes if something goes wrong by importing this settings back.

11. Click the Export Policy items

Firewall

attachmentfirewall_05.pdn

12. Select a folder (it's up to you).

13. Type a name of the exporting file, for example firewall_settings. It'll be saved with the wfw extension.

14. Press the Save button.

Firewall

attachmentfirewall_06.pdn

15. Click the OK button.

Firewall

attachmentfirewall_07.pdn

STEP 6. Disable existing Allow rules

Let's disable all existing firewall rules which allow some inbound connections.

16. Click the Inbound rules item.

17. Click the Filter by state item to show the popup menu.

18. Click the Filter by Enabled item in popup menu.

Firewall

attachmentfirewall_08.pdn

Selecting all rules

19. Click the header of the Action column to get sorted list.

20. Select the first item in the list by clicking on it.

21. Scroll down the list by mouse wheel or using scrollbar.

Firewall

attachmentfirewall_09.pdn

22. Scroll to the last Allow rule (it's particular name is unimportant, it could be a last item in the list at the very bottom)

23. Press the Shift key on your keyboard and while keeping it in pressed state click the last item with the left mouse button to select all Allow items in the list. They all should turn blue (selected).

24. Click the Disable rule item. Wait from 1 to 10 seconds.

25. Click the Clear All Filters item

Firewall

attachmentfirewall_10.pdn

Your final list may looks something like this.

26. Note the absence on any icon Allow (green)/Block (red) in front of rule's name.

Well done! Continue to the next section below.

Firewall

attachmentfirewall_11.pdn

Explicitly block unwanted/illegal traffic

STEP 1. Block listening services.

You may call me paranoid, but the above steps were just a passive defense. I would like to take a more proactive approach against possible network attacks. Just skip next steps if you don't want/need it (not recommended).

So, first of all I'm going to create a block rules for all listening services on my rig. For doing this we need a list of active listening ports on our computer.

To get list of all LISTENING4) ports on your PC run5) the command: 

netstat -an | findstr LISTEN

or run this small one-liner to get the same list extended by process info (preferred way): 

powershell -Command "& Get-NetTCPConnection | ? {($_.State -eq 'Listen') -and ($_.RemoteAddress -eq '0.0.0.0')} | ForEach { $n=(Get-Process -ErrorAction SilentlyContinue -PID $_.OwningProcess -FileVersionInfo ).FileName; if ( $n -eq $null ) { $n=(Get-Process -ErrorAction SilentlyContinue -PID $_.OwningProcess).Name }; New-Object PSObject -Property @{ Port=$_.LocalPort; Name=$n; PID=$_.OwningProcess } }"

This a possible output of the above command on freshly installed Windows machine:

netstat

attachmentnetstat_00.pdn

Consult thise table of known TCP/UDP ports, if you want to know which services are listening to what port. In my particular case I'm going to block ports 49664-49675, 3389, 139 and 135.

Here is the a list of well known ports which should be explicitly blocked:

1. Windows RPC6) - TCP/UDP ports 1357), 1358), 49664-496759)

2. Windows Deployment Services (WDS)10) - TCP/UDP port 54011)

3. NetBIOS12) Name Service - TCP/UDP port 137 13)

4. NetBIOS Datagram Service - TCP/UDP port 138 14)

5. NetBIOS Session Service - TCP/UDP port 13915)

6. TCP NetBIOS helper - TCP port 44516)

7. UPnP Service - TCP port 500017)

8. DNSCache Service - TCP/UDP port 535318)

9. Windows Update Delivery Optimization - TCP/UDP port 768019)

10. Windows Remote Desktop Protocol RDP - TCP port 338920)

Don't block port 3389 if you are planning to access your rig over RDP. But if you plan it, I would highly recommend to change its port number and create Allow rule for it (see below).

1)
https://en.wikipedia.org/wiki/Network_address_translation
2)
https://en.wikipedia.org/wiki/Ethernet
3)
https://en.wikipedia.org/wiki/Windows_Firewall
4)
http://ssfnet.org/Exchange/tcp/tcpTutorialNotes.html
5)
See cmd.exe
6)
Windows RPC general info Windows RPC
7)
Port 135
8)
Port 593
9)
Ports 49664-49675 finger printing and port scanning
10)
WDS general info
11)
Port 540
12)
NetBIOS general info
13)
NetBIOS Name Service port 137
14)
NetBIOS Datagram Service port 138
15)
NetBIOS Session Service port 139
16)
TCP NetBIOS helper port 445
17)
UPnP Service port 5000
18)
DNSCache Service port 5353
19)
DNSCache Service port 7680
20)
Remote Desktop Protocol port 3389
Detach Close

This topic does not exist yet

You've followed a link to a topic that doesn't exist yet. If permissions allow, you may create it by clicking on “Create this page”.