Tag Archives: Windows Firewall

Bringing up a new Active Directory Domain Series (Server 2022) [Part 1]

Change ms-DS-MachineAccountQuota to Zero

This attribute allows all users in the Domain to bind 10 computer objects to the Domain that they control. This could actually lead to more than 10 computer objects since every computer object is also technically a user. Best practices is to disable this setting and set it to Zero.

You can run the following command to see if your domain is currently configured as default of 10 objects:

Get-ADObject -Identity ((Get-ADDomain).distinguishedName) -Properties ms-DS-MachineAccountQuota

If you are currently set to 10 and want to fall in line with best practices you can run the following command to change this attribute to Zero:

Set-ADDomain -Identity ((Get-ADDomain).distinguishedName) -Replace @{“ms-DS-MachineAccountQuota”=”0”}

You will not be provided any feedback, you can then run the first command again to verify things are set to Zero.

Enable Recycle Bin

To enable the Recycle Bin you can run the following command (Replace DOMAIN.COM and make sure quotes copy):

Enable-ADOptionalFeature -Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=DOMAIN,DC=COM” -Scope ForestOrConfigurationSet -Target “DOMAIN.COM

Create Key for gMSA Accounts

When you bring up a new domain you will need to create the KDSRootKey for group managed service accounts.

Add-KdsRootKey -EffectiveImmediately

KDS root keys are stored in: CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=<forest name>;

Enable Central Store in Group Policy

Create the “PolicyDefinitions” folder in SYSVOL

Once enabled, copy the files from C:\Windows\PolicyDefinitions into this folder

Install & Configure LAPS

You can verify you have the AD Schema updated for LAPS by running:

Update-LapsADSchema

You can verify that the LAPS GPOs are in Computer Configuration > Administrative Templates > System > LAPS

Create Group Policy Security Baseline for Domain Controllers

Download the Windows Server 2022 Security Baseline from Microsoft: https://www.microsoft.com/en-us/download/details.aspx?id=55319

Copy these files to a Domain Controller for example in C:\Temp

Copy the files from \Templates directory into the PolicyDefinitions folder in SYSVOL

In the \Scripts directory run the .\Baseline-ADImport.ps1 file to import the GPOs

Modify the firewall rules to enforce only the rules you specify:

  1. Turn off Rule Merging for all profiles
  2. Turn on firewall log with max size 32,767 for all profiles
  3. Log dropped and successful packets for all profiles
  4. Input Firewall Rules
    • ICMP (Ping Allow)
    • TCP/UDP 53 (DNS)
    • TCP/UDP 88 (Kerberos)
    • UDP 123 (Time Service)
    • TCP/UDP 135 (RPC Mapper)
    • TCP/UDP 389 (LDAP)
    • TCP 445 (SMB)
    • TCP/UDP 464 (Kerberos Password Change)
    • TCP 636 (LDAPS)
    • TCP 3268/3269 (Global Catalog)
    • TCP 49152-65535 (RPC Dynamic Range) [Will modify this later]
    • TCP/UDP 3389 (RDP) [Locked to Trusted IPs]
    • TCP 5985/5986 (WinRM) [Locked to Trusted IPs]
    • TCP 9389 (AD Web Services) [Locked to Trusted IPs]

Manually create the firewall logs on the DCs by launching Windows Defender Firewall, Go to the Log Settings and click “OK”

Create Another GPO or Add These Settings to the Current GPO

Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > System Services > Print Spooler

Define this policy and set the service startup mode to Disabled

Navigate to Computer Configuration > Preferences > Windows Settings > Registry (Use Update HKLM)

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168\Enabled 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SSL 3.0\Server\Enabled 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\TLS 1.0\Server\Enabled 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\TLS 1.1\Server\Enabled 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\TLS 1.2\Server\DisabledByDefault 0

SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\TLS 1.2\Server\Enabled 1

Managing Windows Server Core Firewall with Group Policy

As I’m migrating Domain Controllers over to Server Core one of the major issues I’ve run into is managing the Windows Firewall Rules. On a GUI version of Windows Server it is very easy to see what firewall rules are applied, in core… not so much, especially if you are pushing them with GPO (Group Policy).

All of the PowerShell cmdlets and netsh advfirewall commands all seem to return the local firewall rules and not any of the Group Policy pushed firewall rules. Moreover I could not find an easy way to see what the current firewall rules are that are applied via GPO.

As I have disabled all of the built-in firewall rules as to lock down the Domain Controller Firewall Rules as tightly as possible, even with RPC open and the dynamic RPC range locked to specific ports but open the Windows Firewall MMC would not open. I was seeing no blocked traffic in the Windows Firewall Logs.

I received the following error message:

“There was an error opening the Windows Firewall with Advanced Security snap-in”

“The specified computer could not be remotely managed. Ensure that you are not trying to connect to a remote computer with an earlier version of Windows…..”

My solution to this problem was to enable the built-in Firewall Rules for Remote Firewall Management so you can use MMC console:

Windows Firewall Remote Management (RPC)
Windows Firewall Remote Management (RPC-EPMAP)

These firewall rules seem to have some special magic to them that I haven’t put my finger on yet that allow the Remote MMC Firewall snap-in to work. You can of course lock these rules down to remote IPs as well.

Monitoring Domain Controller Windows Firewall Logs (Part of Active Directory Hardening Series)

The first step before you can monitor the local DC firewall logs is to make sure you have properly setup your domain controllers to log firewall activity. If you have not already turned on firewall logging and increased the log size to the maximum you can configure that by looking at my prior post: https://paularquette.com/lock-down-your-active-directory-domain-controllers-internet-access-part-of-my-active-directory-hardening-series/

I have shared a new script on GitHub to do some basic monitoring of dropped traffic on your Domain Controllers. https://github.com/paularquette/Active-Directory/blob/main/AD_Monitor_DC_Firewall_Logs.ps1

I currently run this script every hour and I get plenty of overlap for logs. The logs roll relatively quick but not that quick. I’m also logging all allows and I may change that in the future to only log drops.

In order to see dropped traffic outbound you would have to have outgoing firewall rules in place. By default traffic is not blocked going out. You can reference my previous post linked above.

In the example below you can see I’m limiting all TCP/UDP outbound traffic on Non HTTP ports to a certain subset of IP ranges:

If this Domain Controller tries to send any NON-HTTP(s) traffic outside of the organization it will show up in the DC firewall logs.

Example of HTML Report:

If your IT Security group has the hardware firewalls super locked down you may not see much if any traffic being dropped on the local DCs, but it still isn’t a bad idea to have another layer of security around such a high profile service!