Many enterprises have a variety of aspects that make up their networks, like Windows Defender Firewall, GPOs, and an AD infrastructure. Vulnerabilities in any part of the network can have a domino effect; once the first domino falls, the entire trail will go down with it, which can cause irrevocable damage to your network.
Weaknesses in your network and how you can minimize them
How do vulnerabilities exist in an infrastructure? Well, they’re just a natural part of your infrastructure. When you install a VPN, a few settings, such as the cryptic algorithm to encrypt the data, are configured by default. If the VPN you’ve installed uses a cipher suite for encryption by default, you might want to update the cipher to AES or a preferred secure cipher suite to avoid relying on the default one.
Default settings and misconfigurations are security loopholes that you can fix to improve security.
Fixing network vulnerabilities using GPOs
A Group Policy Object (GPO) applies permissions and access controls to AD objects. To put it simply, you can use GPOs to dictate what an AD object can access and how much privilege it can have within a network. For example, if you don’t want users to uninstall a threat detection application you’ve installed on their computers, you can achieve that with the help of a GPO that restricts users from uninstalling the application.
Windows Defender Firewall misconfigurations and GPOs
Windows Defender Firewall gets installed with its default settings, which are not as safe as they could be. On top of that, a lot of configurations can be overlooked or misconfigured during their setup. These misconfigurations can result in Windows Defender Firewall being compromised, thereby leading to the compromise of AD. But these misconfigurations can be fixed and handled using GPOs. Here are a few common misconfigurations and their fixes.
-
Windows Defender Firewall misconfiguration: Critical systems using ICMP exceptions and responding to ping requests
The GPO fix: Configure a GPO to restrict critical systems from responding to ping requests. Since TCP port 445 is always enabled by default for printer and file sharing, your critical systems might still be responsive to a ping. So, once the GPO is configured, you need to explicitly enable the Windows Firewall: Allow file and printer sharing exception and Windows Firewall: Allow remote administration exception settings to stop incoming ping requests.
-
Windows Defender Firewall misconfiguration: Windows Defender Firewall settings allow remote access to critical systems using MMC and WMI protocols.
The GPO fix: You should minimize remote access to critical systems in your network. To achieve this, you can create a custom Windows Defender Firewall-specific GPO by navigating to Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security. Create a custom rule to avoid remote access on specific IP addresses.
If you want to allow trusted management software to have remote access to the critical systems, configure a Windows Defender Firewall-specific GPO that opens the ports used for remote administration but only allows the desired software to access the ports.
-
Windows Defender Firewall misconfiguration: Local firewall policies are more lenient than domain policies; by default, local firewall policies are available at the system level.
The GPO fix: GPOs can help you implement domain Firewall policies at the local level. Navigate to Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall > (Domain Profile or Standard Profile)/Windows Firewall: Protect All Network Connections. Once this setting is enabled, create a GPO with the desired domain firewall settings and apply it to the group containing the users to whom you want to apply the domain firewall settings.
To learn more about Windows Defender Firewall misconfigurations and their GPO fixes, tune in to this 30-minute webinar, How to fix common Windows Firewall misconfigurations through GPOs.
Alternatively, you can also use a SIEM solution to get crucial reports on remote access, GPO changes, Windows Defender Firewall policy modifications, and other Windows Defender Firewall activities. You can also monitor the overall health of your network using a SIEM tool. For starters, you can try a free, 30-day trial of ManageEngine Log360, a unified SIEM with holistic network monitoring and threat detection and remediation capabilities.