FCOA
asked on
Win2016 outbound firewall for Get-WmiObject
Need help determining the OUTBOUND Windows firewall rule(s) necessary to allow the following command to be run FROM a Win2016 server. The issue goes away if the Windows firewall is set to "Allow" all OUTBOUND connections.
When the outbound firewall is enabled, the result of this command is a "No such interface supported" error, and the firewall log shows "DROP TCP x.x.x.x y.y.y.y 50011 49154 0 - 0 0 0 - - - SEND". The "Windows Management Instrumentation (WMI-Out)" is enabled with it's default settings and being respected, as it's visible in the "Monitoring" rules. I've also pretty much tried all available predefined outbound rules with no success.
Get-WmiObject -ComputerName $RemoteComputer -namespace "ROOT\Cimv2" -Class Win32_ComputerSystem
When the outbound firewall is enabled, the result of this command is a "No such interface supported" error, and the firewall log shows "DROP TCP x.x.x.x y.y.y.y 50011 49154 0 - 0 0 0 - - - SEND". The "Windows Management Instrumentation (WMI-Out)" is enabled with it's default settings and being respected, as it's visible in the "Monitoring" rules. I've also pretty much tried all available predefined outbound rules with no success.
ASKER
Yes, these are dynamic ports, so that change wouldn't hold.
So you will need o allow all high ports.
ASKER
Thanks, but that would sort of defeat the purpose of using the firewall. I'm looking for the specific rule(s) that would permit this.
I believe the rule in question will be tied to a specific service (and/or exe) that then permits traffic on "any" port, similar to how the predefined "Windows Management Instrumentation (WMI-Out)" rule, and rules like it, are configured. I've been surprised that I haven't found a predefined rules to do the job.
Thanks again for brainstorming with me.
I believe the rule in question will be tied to a specific service (and/or exe) that then permits traffic on "any" port, similar to how the predefined "Windows Management Instrumentation (WMI-Out)" rule, and rules like it, are configured. I've been surprised that I haven't found a predefined rules to do the job.
Thanks again for brainstorming with me.
ASKER
Since the service or EXE info isn't included in the firewall log, anyone have any suggestions on how one might track this down?
STATUS UPDATE:
The steps on this docs.microsoft.com article did not resolve the issue.
STATUS UPDATE:
The steps on this docs.microsoft.com article did not resolve the issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is that your solution?
Excluding powershell will exclude any powershell script, malicious or not.
But honestly, it won't get much better and as I said, even microsoft does by defaut allow all outgoing traffic, so they don't see a security problem.
Excluding powershell will exclude any powershell script, malicious or not.
But honestly, it won't get much better and as I said, even microsoft does by defaut allow all outgoing traffic, so they don't see a security problem.
ASKER
I'd say it's a substantially more restrictive solution then your suggestion, so I'm not sure why the snark is needed. Nor is your opinions on our security decisions necessary.
FWIW, here's Microsoft's statement on the topic:
SOURCE: https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules
FWIW, here's Microsoft's statement on the topic:
By default, outbound filtering is disabled... However, it is a best practice for an administrator to create outbound allow rules for those applications that are approved for use on the organization’s network.
SOURCE: https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/checklist-creating-outbound-firewall-rules
Sorry, what snark? No, not at all, I would have recommended the same, but I was pretty sure that you wouldn't want that.
And, although dated 2008, please read what MS has to say about "How Much Security Can Outbound Filtering Provide?"
https://technet.microsoft.com/en-us/library/2008.06.security.aspx
Old, but worth reading and stilll applying.
And, although dated 2008, please read what MS has to say about "How Much Security Can Outbound Filtering Provide?"
https://technet.microsoft.com/en-us/library/2008.06.security.aspx
Old, but worth reading and stilll applying.
ASKER
Thanks for the read. Good stuff.
This gives me a good reason to also force the firewall enabled and force traffic blocks via GPO. We're already doing both these things on workstations, and we also force the force the firewall enabled on servers, but have thus far left the servers open to allow admins to stop blocking in or out traffic for troubleshooting purposes. While this will make it a tad more cumbersome for troubleshooting purposes (i.e. a GPO change will be required to allow traffic), it should help reduce risks further.
PS- We also have a custom script via Scheduled Task that will send IT Admins email alerts if a firewall is not set as expected. This was mostly for as a reminder for admins, in the event the failed to return the firewall back to blocking.
This gives me a good reason to also force the firewall enabled and force traffic blocks via GPO. We're already doing both these things on workstations, and we also force the force the firewall enabled on servers, but have thus far left the servers open to allow admins to stop blocking in or out traffic for troubleshooting purposes. While this will make it a tad more cumbersome for troubleshooting purposes (i.e. a GPO change will be required to allow traffic), it should help reduce risks further.
PS- We also have a custom script via Scheduled Task that will send IT Admins email alerts if a firewall is not set as expected. This was mostly for as a reminder for admins, in the event the failed to return the firewall back to blocking.
ASKER
IMPORTANT UPDATE:
In conjunction with the rule mentioned in comment a42492885 above, it appear a rule to "%SystemRoot%\system32\svch ost.exe" on Remote Port TCP 135 is also required for the outbound remote command in question.
I wasn't able to further reduce this rule to a specific service. In fact, failures still occurred when the rule was set to anything other than "Apply to all programs and services".
In conjunction with the rule mentioned in comment a42492885 above, it appear a rule to "%SystemRoot%\system32\svch
I wasn't able to further reduce this rule to a specific service. In fact, failures still occurred when the rule was set to anything other than "Apply to all programs and services".
ASKER
No other relevant suggestions made.
Why you would disallow outgoing traffic at all is questionable. Microsoft themselves don't do it by defaut since they see no security implications.