35 System Hardening – Windows Firewall

Windows firewall is a powerful tool for creating firewall rules for an individual computer or an entire network. This activity aims to enable students to see how Active Directory (AD) can utilize group policies and Windows Defender Firewall to create firewall rules for devices connected to the AD server. In addition, this lab also teaches students the differences between inbound and outbound rules and how to create group policies that apply to devices. Finally, this lab will enable learners to see how communications between devices are altered due to the firewall rules created.

Learning Objectives

• Successfully deploy a server firewall to control communications between devices
• Observe how group policies can be applied to devices connected to the server
• Observe how firewall rules alter the communication abilities of devices

Prerequisites

• Chapter 8 – Creating a Windows Server
• Chapter 7 – Creating a Linux Server
• Chapter 16 – Introduction to Routers
• Chapter ?? – Creating a Windows 11 Desktop VM

Deliverables

• Labeled GNS3 workspace
• Router configurations
• Blocked pings from Client 3 to the Webserver
• Blocked pings from the Webserver to Client 2

Resources

• 1. MSFT WebCast. “Basic Configuration Tasks in Windows Server 2019.” YouTube, January 25, 2019. https://www.youtube.com/watch?v=1nxYJSV7-u8&list=PLUZTRmXEpBy32NP6z_qvVBOTWUzdTZVHt&index=4.
• 2. MSFT WebCast. “How to Join Windows Server 2019 to an Existing Active Directory Domain.” YouTube, February 1, 2019. https://www.youtube.com/watch?v=BEyNwwjo0u4.
• 3. MSFT WebCast. “How to Join Windows Server 2019 to an Existing Active Directory Domain.” YouTube, February 1, 2019. https://www.youtube.com/watch?v=BEyNwwjo0u4.
• 4. Tony Teaches Tech. “How to Block Ping Requests (on Windows, Linux, MAC).” YouTube, January 11, 2022. https://www.youtube.com/watch?v=52T2f8NfN0Y.

Contributors and Testers

• TBD

Phase I – Workspace Configuration

The following steps will guide you through the process of creating the baseline environment required.

By the end of the lab, your GNS3 environment should look like this.

1. In VirtualBox, ensure you have a Windows 11 desktop VM and a Windows server VM, and check each VM’s network settings
   1. Attached to: Generic Driver
   2. The Cable Connected option is checked
      

      

2. Start GNS3 and create a new project
3. Import the Windows 11 desktop with an experimental feature
   1. In GNS3 navigate to the top menu and select edit, preferences like normal
   2. In the VirtualBox VMs menu, select New and then choose the Windows 11 VM. However, make sure the “Use as a linked base VM (experimental)” box is checked
      

      

4. Create the physical Management network space shown above
   1. Add a switch
   2. Add 3 Windows 11 Clients
   3. Add a Windows Server and name it “Firewall”
   4. Connect all the devices to the switch
5. Turn on the Firewall server and one of the client machines connected to switch 1.

   NOTE: Turning on the two additional machines consumes a significant amount of your host computer’s memory and power, so limit the total number of machines running to three.

1. Log in to the server named “Firewall”
   1. Click on Local Server
   2. Left-click on the ethernet option in the middle of the screen
      

      

      1. Right-click on the ethernet icon and select properties
         

         

      2. In the new window, uncheck the IPv6 option
      3. Then click on the IPv4 option and click on the properties button
         

         

      4. On the IPv4 Properties screen,
         1. Click on Use the following IP address, enter “200.200.200.254” as the IP address, enter “255.255.255.0” as the subnet mask, and then enter “200.200.200.1” as the Default gateway
         2. In the Preferred DNS server box, enter an IP address of “200.200.200.254,” leave the alternate DNS box empty
         3. Click ok
            

            

      5. Click on close
   3. Close the network connections window
2. Add the client machine to the server domain
   1. Log into the client machine
   2. Click on the magnifying glass icon in the lower left-hand corner
   3. Enter the word cmd and press enter to access the command line
   4. Once the command line has popped up, enter the command:

      ncpa.cpl

      You should see the following window pop up

      

   5. As we did for the Server Firewall earlier, Right-click on one of the ethernet options and select Properties
      1. In the new window, uncheck the IPv6 option
      2. Click on the IPv4 option and select the properties button
         1. Make sure the option “Obtain an IP address automatically” is selected
         2. Make sure the option “Obtain DNS server address automatically” is selected
         3. Click on OK
            

            

      3. Click on close
   6. Close the network connections window
   7. In the CLI, type the following to make sure your VM has an IP address

      ipconfig

       

      

   8. Change the PC name
      1. Click on the magnifying glass icon in the lower left-hand corner and type Control Panel to open the Control Panel
         

         

      2. Click System and Security, then click on System
         

         

      3. Click on Rename this PC and reset the name to “Client-1”
      4. Reboot the VM
         

         

   9. Join the client to the domain
      1. Verify that we have a network administrator on the server
         1. On the Firewall Server, under tools, open the Active Directory Users and Computers menu
         2. Verify that Ian Worthington is listed as a user. If not, revisit the instructions for setting up a Windows server
         3. Right-click on Ian Worthington and select Add to a Group
         4. In the Enter the object names to select textbox, type “Domain Admins” then click Check Names, then click OK
            

            

      2. Navigate to client Win-1
         1. Type “Control Panel” in the search box to open the Control Panel
         2. Click on System and Security
         3. Click on System
         4. Scroll down until you see Domain or Workgroup and click on that
            

            

         5. On the system properties window, click on Change
            

            

         6. In the “Member of” section, click on Domain and type mycyber.local and press OK
            

            

         7. Verify the domain add with the credentials of Ian Worthington
            1. USERNAME: ian.worthington
            2. PASSWORD: Security1
         8. A positive informational window will pop up and you can press OK
            

            

         9. Repeat pressing OK/Accept/Agree until all windows are closed. Then, restart the client machine
      3. Navigate back to the firewall server
         1. Under Tools, open Active Directory Users and Computers
         2. Click on computers in the left pane, and you should see that Client-1 is now part of mycyber.local domain
            

            

3. Repeat the process above for the other two clients
4. If you have limited resources, you can add them 1 at a time. There is no need to have all three clients running

1. Insert a Net Cloud into the network and change the name to ISP
2. Create the DMZ by adding a switch and an Ubuntu Server (Renamed to Webserver)
3. Insert a Mikrotik router into the network and make the following connections
   1. ether1 – ISP
   2. ether2 – DMZ switch
   3. ether3 – Management switch
      

      

4. Start the router and configure it
   1. Assign the IP address 10.1.1.1/24 to ether 2

      > ip address add address=10.1.1.1/24 interface=ether2

   2. Assign the IP address 200.200.200.1 to ether 3

      > ip address add address=200.200.200.1/24 interface=ether3

   3. Run the following command to see that all interfaces have an IP address

      > ip address print

       

      

      Notice that ether1 picked up an IP address from the NAT cloud

1. Configure firewall profiles
   1. Navigate to the Firewall Server, click on server manager and then local server
   2. Click on the Tools in the upper right-hand corner. From tools, click on Active Directory Users and Computers
   3. In the left pane, right-click on mycyber.local, click new and then click Organizational Unit.
      1. Add the name of your chosen OU (EagleOU in the example)
      2. Uncheck the “Protect container from accidental deletion”
      3. Click OK
         

         

   4. Move the clients to the new Organizational Unit
      1. In the left pane, left-click on Computers under the mycyber.local
      2. Drag and drop all the clients in the right pane to EagleOU. If you get a popup, just select yes
         

         

   5. Adjust Active Directory Group Policy
      1. Go back into the tools tab and click on Group Policy Management
      2. In the left pane, expand Forest, Domains, and mycyber.local so you can see EagleOU
         

         

      3. Make the left pane larger (if needed) to see the names of all the folders
      4. Expand Group Policy Objects to see the objects already created
      5. Right-click Group Policy Objects, select the new option to create a new object. Name this object Firewall Rules 1 for easy identification and click ok
      6. Select the Firewall Rules 1 object, right-click on it, and select the Edit option to open the Group Policy Management Editor
         

         

         1. Under Computer Configuration, expand Policies and then expand Windows Settings and then Security Settings and then Windows Defender Firewall with Advanced Security
         2. Click on the Windows Defender with Advanced Security – LDAP… option
            

            

         3. In the right pane, select the blue text that states Windows Defender Firewall Properties to open the properties window
            

            

         4. In the Domain Profile tab,
            1. Set the firewall state to ON (recommended)
            2. Set the Inbound Connections to Allow 
            3. Set the Outbound Connections to Allow (Default)
   6. Set the same options in the Private and Public tabs and hit Apply and OK to close the window
   7. Close the Group Policy Management Editor window and return to the Group Policy Management window
   8. Highlight the EagleOU, then right-click on it, and select Link an Existing GPO
      

      

   9. Select the Firewall Rules GPO that you created and click OK
      

      

   10. Navigate to each of the client machines
       1. Open the cli by typing “cmd” in the search window
       2. Update the group policy by entering the following command:

          gpupdate /force

2. Connect the Webserver in the DMZ
   1. In GNS3 connect the web server to the switch and start it
   2. Configure the Webserver to have the IP address of “10.1.1.254” with a subnet mask of “255.255.255.0” and a default gateway of “10.1.1.1”
      Pretty sure this can be a VPCS instead of a server, but not positive yet. – HVH

      

   3. Leave DNS as the option that the machine supplied or 8.8.8.8
   4. Try pinging the Webserver from the Win-1 client PC. The pings should go through since there is no firewall rule blocking the connection
      

      

   5. Try pinging Win-1 client PC from the Webserver. The pings should go through since we set up the Group Policy to allow all inbound packets on the client firewall

      NOTE: Allowing all inbound packets is a horrible idea in a production environment!!!!

1.  Navigate back to the Firewall Server VM
2. Right-click on Tools in the local server page and select Group Policy Management
   1. Expand Group Policy Objects and right-click on it, select the new option to create a new object. Name this object Firewall Rules 2 for easy identification and click ok
      

      

   2. Select the newly created object and right-click on it and select the Edit option
      

      

      1. Expand Computer Configuration, Policies, Windows Settings, Security Settings, Windows Defender Firewall with Advanced Security, then select the Windows Defender Firewall with Advanced Security option
         

         

      2. Select the blue text that states Inbound Rules
      3. In the left pane, right-click on Inbound Rules and select New Rule
         

         

      4. Select the Custom option
         

         

         1. Click next
         2. Leave “All programs selected” and then click next again
         3. In the Protocol and Ports screen
            1. Protocol type: ICMPv4
            2. Then click on the customize option towards the bottom
            3. Click specific ICMP types option and then tick the Echo Requests option
               

               

            4. Click ok
         4. Click next
      5. In the scope screen
         1. Local IP address option – leave the “Any IP address” option selected
         2. Remote IP address, click “These IP addresses:”
            

            

         3. Click on add
         4. Enter the DMZ subnet (10.1.1.0/24) and press OK.
            

            

         5. Click next
      6. In the action screen, click Block the connection and then click on next
         

         

      7. In the profile screen, ensure that only the Domain option is checked, and then click next
      8. Name the rule something along the lines of “Block Pings from the DMZ”, then click on the finish option
         

         

   3. Return to the Group Policy Management window
   4. Highlight the EagleOU, then right-click on it, and select Link an Existing GPO
   5. Select the Firewall Rules 2 and press OK
      

      

   6. Navigate to each of the client machines and update their group policy by entering the following command:

      gpupdate /force

   7. Try to ping the client machines from the Web Server at 10.1.1.254; the pings are now blocked due to the newly created firewall rules
3. Block outbound pings
   1. Navigate to the Firewall server
   2. Highlight the local server, right-click on the tools option, and then select the Expand Group Policy Objects option
   3. Click to highlight EagleOU, then right-click on Firewall Rules 2 and select the edit option
   4. Expand Computer Configuration, Policies, Windows Settings, Security Settings, and then Windows Defender Firewall with Advanced Security
   5. Select Windows Defender Firewall with Advanced Security option
   6. Select the blue text that states Outbound Rules
   7. In the left pane, highlight outbound rules, right-click on it and select New Rule
      1. Select the Custom option and click next
      2. Ensure “all programs” is selected, then click next again
      3. In the Protocol and Ports screen
         1. Select ICMPv4 from the protocol type drop down
         2. Click on the customize option towards the bottom
         3. Click specific ICMP types option
         4. Tick the Echo Requests option
         5. Click ok
      4. Click next
   8. In the scope screen
      1. Click the remote IP address, these IP addresses, and then add
      2. Enter the IP address of 10.1.1.254 and click ok
      3. Click next 
   9. In the action screen click Block the connection and then click on next
   10. . In the profile screen only click the Domain option and then click next
   11. Name the rule something along the lines of “Block pings from webserver”
   12. Click on the finish option
   13. In your client machines update the group policy by using the following command:

       gpupdate /force

   14. Try and ping 10.1.1.254 from the client machines, the pings are now blocked due to the newly created firewall rules
   15. The above two rules show how a firewall can block pings from coming in, and it can block users within a domain from pinging a client on another domain and IP range.

End of Lab

Figure 00 – Contact us via prmaster@erau.edu