- Mar 29, 2018
- 7,703
I prepared a simple Help for Firewall Hardening tool. If someone would like to add/change something, then let me know, please.
***************************************
Firewall Hardening tool can apply and manage Outbound Block Rules in Windows Firewall by using Windows policies. The restart of Windows is required to apply the configuration changes.
The paths of blocked executables are displayed as a list. Each entry can be managed by using the buttons located on the bottom of the application GUI.
<Add Rule> button allows adding the rule for any executable.
<Deactivate Rule> button makes the highlighted rules inactive, but does not remove rules.
<Block Rule> button changes highlighted inactive rules to blocked.
<Remove Rule> button removes highlighted rules from the list (and Windows Firewall settings).
The user can add/remove some predefined rules by using the options visible on the right of application GUI.
<LOLBins> button allows adding the rules for many executables from system folders, which are known to be commonly abused by malc0ders.
<MS Office> button allows adding rules for MS Office executables (Word, Excel, PowerPoint, and Equation Editor).
<Adobe Acrobat Reader> button allows adding rules for Adobe Acrobat Reader application.
<Recommended H_C> button allows adding some rules suited for users who applied Hard_Configurator Recommended settings.
The applied rules may be also viewed when using Windows Firewall Advanced settings, but can be managed only by Firewall Hardening tool, or by editing the Registry under the key: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\FirewallRules.
The user can enable auditing Windows Firewall with Advanced Security in category "Object Access" and subcategory "Audit Filtering Platform Packet Drop". This can be done by choosing the radio button 'ON', under "Start logging events".
If auditing is enabled, then the blocked events can be filtered from Windows Event Log by 5152 Event Id. This can be done when pressing <Blocked Events> button, visible under the OFF/ON radio buttons. The Event Log file can store the entries from several hours (usually 12 hours).
**************************************
Maybe include some short instruction for users who do not use Hard_Configurator?