Tuesday, November 8, 2016

To Centralize or Not To Centralize

In my last post I discussed how Windows Filtering Platform auditing can generate the necessary log records for creating outbound rule sets, continuing my theme of applying outbound restrictions to specific applications that are abused to bypass mitigations such as pre-defined application allow lists. With this audit configuration, along with a rule set that defaults to allow and doesn't have any block entries, machines can run for a while to start generating a list of IP addresses to allow.

While that is simmering on the back burner now is a good time to think about how we would like to deploy should we choose to accept this mission (how's that for mixing metaphors?). There are two methods that I am aware of that this can be configured.
  1. Local workstation policy
  2. Group Policy
I think that there are benefits and disadvantages to both approaches, so they are both worth some consideration. I have yet to run into any feature differences when deploying it GPO vs. locally (or vice-versa), but I do think that there are some tactical advantages to using GPOs. If GPOs aren't available to you (for example, home/standalone computers or a workgroup) then a local configuration still provides benefit beyond having nothing at all.

Local Policy
This is where I started getting my feet wet when working with Windows Firewall with Advanced Security. The biggest benefit to me at the time was that if I misconfigured something it only affected my test device and I had direct access to the machine to undo any changes. It allowed me to experiment and verify rules worked as expected while getting comfortable with the options and interface.

The local firewall policy can be configured using the MMC console. This can be opened in several ways, here are two:
  1. Control Panel > System and Security > Windows Firewall > Advanced Settings
  2. MMC Console > File - Add/Remove Snap-in... > Windows Firewall with Advanced Security - Add > Local Computer - Finish.
(Note: depending on the settings on your computer, these will only work if you have access to a local administrator account and/or with UAC elevation.)

Once the GUI is open we have the ability to add or remove rules that affect the local computer. If necessary the policy can be created and then exported, allowing us to import it on another computer or back it up in case it needs to be restored.

Group Policy
The GPO configuration can be managed with the Group Policy Management utility. A new group policy has to be created or an existing one edited. Right click the policy to be modified, and then navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security. This GUI is very similar to the local configuration.

When making GPOs it can be helpful to create multiple firewall specific GPOs that have similar rule sets depending on the security requirements of the machines that they are applied to. These can then be selectivly applied using WMI filters or security filters, but this won't work in some environments so YMMV.

Pros and Cons
Choosing which method (or even a combination of the two) to deploy depends on the needs of the environment. It is possible to use Local or GPO, as well as GPO with a merge of a local policy. I can't think of a scenario where I would ever want to use the merge option - I usually disable that capability by removing the selection for "Allow local firewall rules". (This can be found by selecting a profile in a GPO configuration, selecting "Customize...", and under "Rule merging" setting "Apply local firewall rules" to "No").

So which one works best in a corporate environment? I think that local policies carry some very substantial risks.

  1. If malicious code executes on a machine and is able to obtain admin privileges it can create policy rules allowing the traffic out or turning the firewall off and bypassing restrictions. 
  2. Local policies can also be changed by local administrators, allowing them to turn it on or off or add/remove rules which can quickly lead to configuration drift. 
  3. A lot of programs will also create very liberal outbound policies when they are installed. 

When all of these are combined the result is an unpredictable and difficult to manage firewall configuration that I wouldn't recommend in a corporate environment.

That said, there are two critical cons to using GPOs that must be considered and mitigated appropriately if this deployment method is used.

  1. If it is misconfigured, outbound GPOs can prevent machines from receiving future GPOs and prevent them from communicating with critical services. This is probably the largest deterrent to using this technology and would probably be a resume generating event in most environments. It is why I spent so much time focusing on the block list capabilities with inverse ranges that I talked about in a previous post.
  2. There is a psuedo-random delay (sometimes up to several hours) between when a change is made to the policy and when it takes affect on an endpoint. This could be a problem if something needed to be rolled out rapidly.

If appropriately configured (not allowing local rule merging) and tested, a GPO can be much more difficult to bypass or disable and can be implemented safely and effectively. This raises the difficulty and cost for attackers, forcing them to abandon many of the mechanisms that are used with malware today.

That said, if admin rights are obtained it could be possible to disable the firewall regardless of the chosen deployment method. At that point it would also be possible (and maybe easier) to just overwrite or attack a permitted application than trying to disable the firewall.

A lot of this hinges on obtaining local admin rights. If end users are browsing the internet and using office productivity applications with local admin privileges there are many options for getting around this (and many other) controls regardless of how they are applied. It is also important to apply security patches in a timely manner to limit the ability of code to elevate privileges using exploits. Windows Firewall with Advanced Security outbound controls can only work if they are a part of a larger ecosystem of controls that work in concert. I believe these outbound controls (or any endpoint firewall with this type of capability) are a critical part of the ecosystem, but can't stand without it.

Regardless of which method is chosen for deployment, PowerShell is has been my friend. Both local and group policies can be directly created, viewed, edited, and deleted with PowerShell. This allows routine tasks to be saved as scripts (for example, modifying the destination IP allowed list to accomodate for a previously unseen destination or removing a destination IP that is no longer necessary). Large lists of IP addresses can be maintaned as files and then imported with PowerShell and applied to the appropriate policy, saving time and difficulty navigating these in the GUI.

I plan to cover PowerShell specifics in a future post - it has saved me an immense amount of time and allowed me to scale and deploy this as a mitigation tool where it otherwise wouldn't have been practical.

Until then, work hard and spend time with your family.
Branden
@limpidweb