Microsoft Azure AZ-801 — Section 6: Secure Windows Server networking

Microsoft Azure AZ-801 — Section 6: Secure Windows Server networking

42. Manage Windows Defender Firewall

I want to go over now the Windows Defender Firewall capabilities that we have on server. These really aren’t very different than what we’ve got on our client operating systems. We can we can very easily just go down here to search, go to control panel right here. And we get in control panel. We have Windows Defender Firewall. We can just click on that and then we can go and allow apps through the firewall and all that. But ultimately, what Microsoft really wants you to understand here is the Advanced Firewall settings.

So, we’re going to go here to Advanced Firewall and we have inbound and outbound rules. Now, the inbound and outbound rules work pretty much exactly like you would imagine. They work. An inbound rule is going to control whether or not certain types of traffic can flow into this machine. And an outbound rule is going to control certain types of traffic trying to leave the machine. If I wanted to if I wanted to prevent a particular type of connection to this machine coming in, I would do an inbound rule. I wanted to prevent this machine from being able to communicate with a certain type of connection. I would do an outbound rule.

For example, let’s say I did not want to allow SSH secure shell. I could go to an inbound here, go to new rule. And then I can I can block based on programs which if I was going to block like putty or something, which is an SSH program, I would do that. But in my case, I would want to do a port because SSH uses port 22 if I could, I could just block it all together. You’ve got pre-defined and there are some rules in here. Microsoft just lets you select there. You can do a custom rule which kind of lets you just mix and match these rules any way you want. I’m going to do a port rule though. We’ll click Next and then we’ll put in Port22, which is a TCP rule.

If you wanted to block a range of ports, you can put a dash. Like if I wanted to block Telnet and SSH, I could do that right there. Right. Or you could do a comma if you wanted to block just like one other port. But I’m going to Port22. We’ll click Next and we’ll say block click Next. And then we can specify if this is just for the domain, if it’s going to be on a private network like at home or a public network, like a guest network of some kind. I’m just going to do all of them. Click Next. I’m going to say block SSH for all. So, at that point, we’re now blocking SSH on this machine. But what if we wanted to block it for all the servers, not just this one? So I’m just going to delete this. So, if I wanted to do that, I’m going to do that through a GPO. So, what we’ll do is we’ll go to our Server Manager, we’ll go Tools and we’ll go to Group Policy Management. So, in Group Policy Management. We’ll go here to group policy objects, and I just create a GPO called Firewall policies for servers. So, I’ll just click Okay to that and then I’m just going to right click it and click Edit. Then I’m going to go under Computer Configuration Policies and then we’ll go to Windows settings and then security settings. All right. And then we’ll just kind of scroll down a little bit here and you should see the Windows Defender Firewall with advanced security. So, we’ll expand that out. All right. There you go. You have the exact same capabilities right here. So, we’ll right click that new rule case. Same screen port. Port 22. We’ll say Block. Okay. And then we’ll just say lock SSH. Click Finish. And that’s it. At that point, we can just drag and drop this GPO over whatever. Like, if I want to just block servers, I just drag and drop it over servers. At that point, it will be blocked.

Keep in mind that servers refresh their policies every 90 to 220 minutes. Domain controllers refresh their policies every 5 minutes.

So, if I pulled it over servers, if I’m sitting in front of NYC-DC1, I would need to attach to the domain controllers if I wanted to affect that. All right.

So, that is how you can manage the Windows Defender Firewall settings for your servers.

43. Implement domain isolation and connection security rules

Now, something else we can do involving our Defender Firewall is we can set up something called domain isolation.

Domain isolation is based on a set of rules using IPsec, which is Internet protocol security. And what it’s going to do is make it where your machines will only communicate with users or and devices that have authenticated with your domain using IPsec as well. So, both sides have to have a policy that says, “Hey, I’m going to validate you with IPsec.” And we’re going to use Kerberos usually. It is usually the way we do it is with Kerberos. We’re going to use Kerberos for authentication. If any machine tries to communicate with this server and it cannot authenticate, it will not allow it to communicate at all.

So, this completely disables any possibilities of anonymous connectivity and things like that. You wouldn’t want this to be like a web server or something like that in this case. All right. We’re wanting any type of machine that’s going to share data with the server. We would require that it is going to have to authenticate using IP Kerberos. So, this is what domain isolation is. This is an additional layer of security.

Keep in mind, right out of the gates that Windows client machines and all that, they’re generally going to have to authenticate when they communicate with shared folders and all that. But there are services that can be utilized on a server that can allow anonymous connectivity. By implementing this, you’re going to make sure there’s no possibility for any kind of anonymous connectivity with the server.

So, here’s how we do that. We’re going to open up our Server Manager on NYC-DC1. In this case, we’re going to go Tools, going to go to Group Policy Management. Once you’re in Group Policy Management, I’m going to go down here to group policy objects and I’ll just create a new GPO called Isolation Policy. Isolation Domain policy. There we go. Click Okay. And then we’ll just right click that click Edit. From there, we’re going to go underneath Computer Config Policies, Windows settings, and then security settings. And we’re going to scroll down a little bit and look for the Windows Defender Firewall with advanced security. Once we’re there, we’ll expand both of those out and then we’re going to go down to connection security rules. I’ll right click connection, security rules, and I’m going to click new rule, and you’re going to go with this very first rule right here, restrict connections based on authentication criteria such as domain membership or health status. We’re going to go with that click Next. And it says Require authentication for inbound and outbound connections. Require authentication for inbound connections and request authentication for outbound or require authentication for inbound and outbound. We’re going to go require. So, there’s not going to be any requesting. There’s no anonymous. So, we’re going to require it as opposed to request. All right. So click Next then what do we want to use for authentication? We want to use computer and user authentication, restrict communications to connections from domain, join users and computers, provide identity information for authorizing specific users’ computer. So, we’ll choose that. We’re going to click Next and we’re only going to be doing this for domain devices.

The device in this case, I should say, not just domain devices, but sorry, when the devices are in the domain, for example, now we’re talking about servers mostly here, Right? So we’re kind of focused on servers. Servers don’t usually travel around. But if this policy was going to go out to our client computers as well, what if we have laptop users that travel like they have to go to places and communicate in other places? Well, at that point they would have problems if you selected all three of these. So, we only want this policy to be in effect when the domain is present.

If you had like a laptop computer or something and it went in, the person went home with their laptop computer, that laptop computer could still communicate with other computers that are on the network as it. Whereas if you chose both of these, that could stop that from happening. So, we’re going to choose Domain. We’re going to click Next. We’re just going to call this isolation. Policy. Click Finish, and we’ve now implemented that. So, the only thing we’ve got to do now is just drag and drop this. So, if we just wanted this to affect servers, we would just drag and drop it over servers and then it’s just a matter of the policies being refreshed. So, gpupdate/force or you could wait the 90 to 220 minutes.

Keep in mind that right now, since we’ve only applied this to servers, it’s only going to affect servers, it’s not going to affect any clients. So, if you wanted this to go to affect your client computers, you’d also need to apply one to your client computers as well. But we’re mostly focused on servers here, so this is going to affect those servers.

That is how we can set up an isolation policy involving our Defender Firewall.

Now, real quick, I finished that video and realized that I had gone and deleted this GPO afterwards. I probably should explain this in the video.

First off, some of the stuff we’re going to be doing in this later area of the course here can affect the performance can be affected by that GPO So, I actually want to get rid of that.

The other thing is if you didn’t do everything perfectly, there could be an issue where it’s not authenticating correctly. We just want to make sure that there’s no issues going forward. In case you are doing this with me now, if you aren’t doing this with me, that’s totally fine too. But anybody that is trying to do some of this hands on stuff, you’re probably going to want to delete that. GPO So here I’m back in Group Policy Management. You’ll notice I’ve got rid of some other GPOs and stuff that I didn’t need. I’m just going to delete this isolation GPO So it’s now gone. And that I would recommend if you are following along with me, I’d recommend you do the exact same thing.