Under Review

Live Response: Controlling Windows Firewall Using Netsh

Imagine a scenario where you discover vulnerable ports or need to temporarily block an application, port, or other. Many environments will leverage GPOs to set their profiles and exceptions. On the fly, we can make changes in real-time to protect the machine from whatever it is you are hunting down or wanting to restrict.

If you aren't familiar with Network Shell, take a read on the Netsh command-line utility that allows you to configure local and remote computers. Netsh as a whole has a number of features but in this write-up, we are going to focus on the advanced firewall settings.

Once on your Live Response UI, get started by typing: 

netsh

This enters you into the utility and gives you the full depth of options. We are going to use the functionality for Windows Firewall with Advanced Security.

advfirewall

Notice how you can see the Command Prompt switch from the file path to "netsh" to now "netsh advfirewall" to indicate where you are in the utility. Maybe you are investigating the current state and you want to see what settings are enabled. Simply type:

show allprofiles

  • Domain Profile = configuration settings for Windows systems within the Windows Domain
  • Private Profile = configuration settings for use in networks like your home but not controlled by a Windows Domain
  • Public Profile = configuration settings for use in networks like a coffee shop but not controlled by a Windows Domain

In each profile settings, we can see the following:

State shows if on/off and usable
Firewall Policy shows inbound/outbound policy
Local Firewall Rules shows if locally applied or GPO
Local Con Sec Rules shows if locally applied or GPO
Inbound User Notification shows if user is notified on established connection
Remote Management shows if remote management can be used
Logging settings header
Log Allowed Connections shows if allowed connections are logged
Log Dropped Connections shows if dropped connections are logged
File Name shows path and name of firewall log
Max File Size shows max size of firewall log

Maybe you run this and see the profile is off. Intercept-X can enforce this but if you're looking to do this quickly, run:

set currentprofile state on

Perhaps you're preparing for an upcoming security audit and see that a user has made an override and opened RDP to the public net so they can access their machine over the web. We can easily kill this rule using:

firewall delete portopening tcp 3389

This framework can be used where firewall <action> <decision> <protocol> <port> is followed. 

Or if you're trying to determine if the firewall is blocking an action, simply enable logging:

firewall set logging C:\Firewall.log 4096 enable

Where C:\Firewall.log is your <filepath> location and 4096 is your <maxFileSize>

Now that you've logged your traffic, you can see that the program is indeed being blocked. You can quickly enable this setting to make sure it works before applying it through your GPO settings:

add allowedprogram C:\Program Files\Veeam\VeeamClient.exe

Where allowedprogram is the <programDecision> and ~\VeeamClient.exe is the <programPath>

Be sure to review all the capabilities of Netsh for troubleshooting daily issues or leveraging its power in an IR scenario.

Cheers

-jk