Windows Firewall Rules for Assessment

We will require access to your machines from our test centre and will require you to allow access through your firewall if we are scanning via our appliance.

Firewall rules can be added by PowerShell script for Windows Defender (as below), however if you are using another firewall or you wish to manually add rules you will need to configure your firewall to allow us access:

  • Windows Management Instrumentation (Async-in)
  • Windows Management Instrumentation (DCOM-in)
  • Windows Management Instrumentation (WMI-in)
  • File and Print Sharing (SMB-in)
  • Ports 135, 137, 445 ports inbound

The above ports should be locked to our IP addresses (provided by your assessor) and generally will be related to the Public/Private Interface.

PowerShell Script

cls
Write-Host "Checking Firewall Rules are appropriate to allow access from our Data Centre" -foregroundcolor DarkMagenta -BackgroundColor White
#Add IP Address Provided by Cyber Tec Security
$IPAddress='0.0.0.0'
$IPMask = '255.255.255.0'
#below here we just add the rules
$RuleRemoteAddress = @("$IPAddress/$IPMask")
$RuleName = "WMI-ASYNC-In-TCP"
$RuleDisplayName = "Windows Management Instrumentation (ASync-In)"
$RuleDescription = "Inbound rule to allow Asynchronous WMI traffic for remote Windows Management Instrumentation. [TCP]"
$RuleDisplayGroup = "Windows Management Instrumentation (WMI)"
$RuleGroup = "@FirewallAPI.dll,-34251"
$RuleStatus = "True"
$RuleProgram ="%systemroot%\system32\wbem\unsecapp.exe"
$newips = @("$IPAddress/$IPMask")
Write-Host "Looking for Firewall Rule - $RuleDisplayName" -ForegroundColor White
$RuleCheck = Get-NetFirewallRule -DisplayName $RuleDisplayName 2> $null;
if ($RuleCheck) {
write-host "Firewall rule found" -ForeGroundColor Green
$ips = @((Get-NetFirewallRule -DisplayName $RuleDisplayName | Get-NetFirewallAddressFilter ).RemoteAddress)
write-host "Existing Remote IP Addresses: $ips" -ForegroundColor Cyan
if ($ips -contains $newips)
{
Write-Host "Cyber Tec Security Rules Exist" -ForegroundColor Green
Set-NetFirewallRule -DisplayName $RuleDisplayName -Enabled $RuleStatus
}
Else
{
write-host "Adding IP Addresses: $newips" -ForegroundColor Green
$add = @($ips + $newips)
Write-Host "New IP Range will be $add" -ForegroundColor DarkGreen
Set-NetFirewallRule -DisplayName $RuleDisplayName -RemoteAddress $add -Enabled $RuleStatus
}
}
else {
write-host "Firewall rule NOT found" -ForeGroundColor DarkGreen
#write-host "Creating rule" -ForegroundColor Green
New-NetFirewallRule -Name $RuleName -DisplayName $RuleDisplayName -Description $RuleDescription -Profile Private,Public -Direction Inbound -Program $RuleProgram -RemoteAddress $RuleRemoteAddress -Action Allow -Enabled $RuleStatus -protocol tcp
}
$RuleName = "WMI-WINMGMT-In-TCP"
$RuleDisplayName = "Windows Management Instrumentation (WMI-In)"
$RuleDescription = "Inbound rule to allow WMI traffic for remote Windows Management Instrumentation. [TCP]"
$RuleDisplayGroup = "Windows Management Instrumentation (WMI)"
$RuleGroup = "@FirewallAPI.dll,-34251"
$RuleStatus = "True"
$RuleProgram ="%SystemRoot%\\system32\\svchost.exe"
$newips = @("$IPAddress/$IPMask")
Write-Host "Looking for Firewall Rule - $RuleDisplayName" -ForegroundColor White
$RuleCheck = Get-NetFirewallRule -DisplayName $RuleDisplayName 2> $null;
if ($RuleCheck) {
write-host "Firewall rule found" -ForeGroundColor Green
$ips = @((Get-NetFirewallRule -DisplayName $RuleDisplayName | Get-NetFirewallAddressFilter ).RemoteAddress)
write-host "Existing Remote IP Addresses: $ips" -ForegroundColor Cyan
if ($ips -contains $newips)
{
Write-Host "Cyber Tec Security Rules Exist" -ForegroundColor Green
Set-NetFirewallRule -DisplayName $RuleDisplayName -Enabled $RuleStatus
}
Else
{
write-host "Adding IP Addresses: $newips" -ForegroundColor Green
$add = @($ips + $newips)
Write-Host "New IP Range will be $add" -ForegroundColor DarkGreen
Set-NetFirewallRule -DisplayName $RuleDisplayName -RemoteAddress $add -Enabled $RuleStatus
}
}
else {
write-host "Firewall rule NOT found" -ForeGroundColor DarkGreen
#write-host "Creating rule" -ForegroundColor Green
New-NetFirewallRule -Name $RuleName -DisplayName $RuleDisplayName -Description $RuleDescription -Profile Private,Public -Direction Inbound -Program $RuleProgram -RemoteAddress $RuleRemoteAddress -Action Allow -Enabled $RuleStatus -protocol tcp
}
$RuleName = "WMI-RPCSS-In-TCP"
$RuleDisplayName = "Windows Management Instrumentation (DCOM-In)"
$RuleDescription = "Inbound rule to allow DCOM traffic for remote Windows Management Instrumentation. [TCP 135]"
$RuleDisplayGroup = "Windows Management Instrumentation (WMI)"
$RuleGroup = "@FirewallAPI.dll,-34251"
$RuleStatus = "True"
$RuleProgram ="%SystemRoot%\\system32\\svchost.exe"
$newips = @("$IPAddress/$IPMask")
Write-Host "Looking for Firewall Rule - $RuleDisplayName" -ForegroundColor White
$RuleCheck = Get-NetFirewallRule -DisplayName $RuleDisplayName 2> $null;
if ($RuleCheck) {
write-host "Firewall rule found" -ForeGroundColor Green
$ips = @((Get-NetFirewallRule -DisplayName $RuleDisplayName | Get-NetFirewallAddressFilter ).RemoteAddress)
write-host "Existing Remote IP Addresses: $ips" -ForegroundColor Cyan
if ($ips -contains $newips)
{
Write-Host "Cyber Tec Security Rules Exist" -ForegroundColor Green
Set-NetFirewallRule -DisplayName $RuleDisplayName -Enabled $RuleStatus
}
Else
{
write-host "Adding IP Addresses: $newips" -ForegroundColor Green
$add = @($ips + $newips)
Write-Host "New IP Range will be $add" -ForegroundColor DarkGreen
Set-NetFirewallRule -DisplayName $RuleDisplayName -RemoteAddress $add -Enabled $RuleStatus
}
}
else {
write-host "Firewall rule NOT found" -ForeGroundColor DarkGreen
#write-host "Creating rule" -ForegroundColor Green
New-NetFirewallRule -Name $RuleName -DisplayName $RuleDisplayName -Description $RuleDescription -Profile Private,Public -Direction Inbound -Program $RuleProgram -RemoteAddress $RuleRemoteAddress -Action Allow -Enabled $RuleStatus -protocol tcp -LocalPort 135
}
$RuleName = "FPS-SMB-In-TCP"
$RuleDisplayName = "File and Printer Sharing (SMB-In)"
$RuleDescription = "Inbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes. [TCP 445]"
$RuleDisplayGroup = "File and Printer Sharing"
$RuleGroup = "@FirewallAPI.dll,-28502"
$RuleStatus = "True"
$RuleProgram ="System"
$newips = @("$IPAddress/$IPMask")
Write-Host "Looking for Firewall Rule - $RuleDisplayName" -ForegroundColor White
$RuleCheck = Get-NetFirewallRule -DisplayName $RuleDisplayName 2> $null;
if ($RuleCheck) {
write-host "Firewall rule found" -ForeGroundColor Green
$ips = @((Get-NetFirewallRule -DisplayName $RuleDisplayName | Get-NetFirewallAddressFilter ).RemoteAddress)
write-host "Existing Remote IP Addresses: $ips" -ForegroundColor Cyan
if ($ips -contains $newips)
{
Write-Host "Cyber Tec Security Rules Exist" -ForegroundColor Green
Set-NetFirewallRule -DisplayName $RuleDisplayName -Enabled $RuleStatus
}
Else
{
write-host "Adding IP Addresses: $newips" -ForegroundColor Green
$add = @($ips + $newips)
Write-Host "New IP Range will be $add" -ForegroundColor DarkGreen
Set-NetFirewallRule -DisplayName $RuleDisplayName -RemoteAddress $add -Enabled $RuleStatus
}
}
else {
write-host "Firewall rule NOT found" -ForeGroundColor DarkGreen
#write-host "Creating rule" -ForegroundColor Green
New-NetFirewallRule -Name $RuleName -DisplayName $RuleDisplayName -Description $RuleDescription -Profile Private,Public -Direction Inbound -Program $RuleProgram -RemoteAddress $RuleRemoteAddress -Action Allow -Enabled $RuleStatus -protocol tcp -LocalPort 445
}
$RuleName = "CTS-PORT-OPEN"
$RuleDisplayName = "Cyber Tec Security - Data Centre Port Access"
$RuleDescription = "Inbound rule to allow access to port 135, 137 and 445 from the Azure Data Centre VPN"
$RuleDisplayGroup = "Cyber Tec Security"
$RuleStatus = "True"
$newips = @("$IPAddress/$IPMask")
Write-Host "Looking for Firewall Rule - $RuleDisplayName" -ForegroundColor White
$RuleCheck = Get-NetFirewallRule -DisplayName $RuleDisplayName 2> $null;
if ($RuleCheck) {
write-host "Firewall rule found" -ForeGroundColor Green
$ips = @((Get-NetFirewallRule -DisplayName $RuleDisplayName | Get-NetFirewallAddressFilter ).RemoteAddress)
write-host "Existing Remote IP Addresses: $ips" -ForegroundColor Cyan
if ($ips -contains $newips)
{
Write-Host "Cyber Tec Security Rules Exist" -ForegroundColor Green
Set-NetFirewallRule -DisplayName $RuleDisplayName -Enabled $RuleStatus
}
Else
{
write-host "Adding IP Addresses: $newips" -ForegroundColor Green
$add = @($ips + $newips)
Write-Host "New IP Range will be $add" -ForegroundColor DarkGreen
Set-NetFirewallRule -DisplayName $RuleDisplayName -RemoteAddress $add -Enabled $RuleStatus
}
}
else {
write-host "Firewall rule NOT found" -ForeGroundColor DarkGreen
#write-host "Creating rule" -ForegroundColor Green
New-NetFirewallRule -Name $RuleName -DisplayName $RuleDisplayName -Description $RuleDescription -Profile Private,Public -Direction Inbound -RemoteAddress $RuleRemoteAddress -Action Allow -Enabled $RuleStatus -protocol tcp -LocalPort 135,137,445
}

LOCAL ACCOUNT TOKEN FILTER POLICY

See a setup document here