![]() ![]() In addition, the probability of detecting attacks at an early stage increases. With a well-hardened operating system, the chance of success for attackers can be reduced. For such attacks to be successful, attackers must have local administrator rights to read out the LSA process and be able to communicate with other systems. The contribution to KleptoKitty introduced a framework for Lateral-Movement attacks, which should facilitate attacks on systems in a Windows network. Finding lists can be edited or supplemented with simple means.Finding lists are based on own experiences and Microsoft Security Baselines.Different modules are used to read out information.Finding lists can be used to read out and evaluate Hardening settings.HardeningKitty is a PowerShell script for Windows Hardening.The scripts are returning their outputs to the C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\ IntuneManagementExtension.Automated Auditing and Hardening of Windows This is the job configuring the logging on each firewall profileĮach script package should be configured similar to below:.Detect-Remediate-Windows-Firewall-Logging.This is the job creating the log files with the correct permissions.Detect-Remediate-Windows-Firewall-Log-Files.Put all of this to use with P roactive Remediation within Microsoft Intune: įor your inspiration, below is a snippet of the 2 script packages running in my environment. The logging path will be set to a specific path, the log size to 16384KB and enable logging for allowed and blocked connections. This script will configure logging for all 3 Windows Firewall profiles according to CIS recommendations. Remediate-WindowsFirewallLogging.ps1įind this script on my GitHub: Proactive-Remediations/Remediate-WindowsFirewallLogging.ps1 at main If any of the 3 profiles is not configured accordingly, the script will exit with error code 1, instructing the remediation script to kick off. This script detects if each firewall profile is configured to enable logging according to CIS recommendations. Detect-WindowsFirewallLogging.ps1įind this script on my GitHub: Proactive-Remediations/Detect-WindowsFirewallLogging.ps1 at main This script will create each log file for each Windows Firewall profile domain, private, and public with the correct permissions. ![]() If they do not exist or do not have the correct permissions applied, the script will exit with error code 1, instructing the Intune Management Extension to kick off the remediation script.Īnd the correct permissions are as following:įind this script on my GitHub: Proactive-Remediations/Remediate-WindowsFirewallLogFiles.ps1 at main This script detects if the log files for each firewall profile exist. Detect-WindowsFirewallLogFiles.ps1įind this script on my GitHub: Proactive-Remediations/Detect-WindowsFirewallLogFiles.ps1 at main I have split the scripts into 2 categories one for creating the log files with the correct permissions, and another for enabling the actual logging on each firewall profile domain, private and public. In this scenario, the settings related to the Windows Firewall is of interest, and in order to get compliant, you will have to – among other settings – configure the log size to greater than or equal to 16,384KB. When a baseline assessment profile has been configured, and more specifically the one for Windows 11 based on CIS benchmarks, you will find what settings that the baseline is measuring. The feature is found in the Microsoft 365 Defender portal here:.Microsoft Defender for Endpoint has a baseline assessment feature, which will ease the work getting compliant with the CIS benchmark. Firewall logging will then be enabled with the recommended values. My scripts will create each log file, for each firewall profile: Domain, Private, Public and make sure those log files are configured with the correct permissions (otherwise the Defender engine won’t have permissions to write to the files). None of those settings, at the time of writing, are available natively via Intune, so I have chosen to resort to PowerShell and Proactive Remediations. The CIS Benchmark for Microsoft Windows 11 Enterprise dictates that logging for Windows Firewall is enabled, and is configured with certain settings. For those who don’t know CIS benchmarks, get more details here: CIS Benchmarks () and here: Center for Internet Security (CIS) Benchmarks – Microsoft Compliance | Microsoft Docs.This takes some effort, especially if you don’t use Group Policy anymore. I’m currently working on getting my Windows 11 devices CIS ( CIS Center for Internet Security () compliant in regards to their benchmark. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |